Malicious Dependencies

Note: This capability is currently in Early Access (EA) and is not generally available. To request access, please contact OX technical support.

The Malicious Dependency policy helps you maintain supply-chain security by ensuring that every component in your SBOM is trustworthy.

It prevents known malicious code from being deployed and protects your environment from hidden threats that live inside third-party libraries.

The policy flags any library or package that is known or suspected to contain malware, backdoors or other malicious code.

When a vulnerable or compromised dependency is referenced in the code, OX Security flags it and creates an issue recommending its removal or replacement before deploying to production.

Viewing Malicious Dependencies in OX Security

When you select a Malicious Dependencies issue in the SBOM page or the Active Issues page, you can view the information you need to triage and remediate.

To view Malicious Dependency issues in SBOM:

• Go to SBOM and then from the Filter panel, select Issues > Malicious.

• The SBOM Safe column shows that malware was detected in this item.

• The SBOM CVE column displays the number of CVEs identified for this item. Clicking on this number opens the relevant issue in the Active Issues page.

To open a Malicious Dependency issue:

• Go to Active Issues and then from the Filter panel, select Policy > Malicious dependency in code.

Use the following details to understand what was detected, why it received its severity rating, and how to prioritize your response:

• Issue title and policy name showing that Malicious Dependencies triggered this alert.

• Short description identifying the matched malware signature along with the package name, version and source registry.

• Detailed description under More info.

• An ℹ️ icon next to the severity badge.

• Category label indicating the threat category, for example malware or supply-chain risk)

Disabling the Malicious Dependencies policy

By default, the Malicious Dependencies policy is enabled. You can disable it at any moment.

To disable Malicious Dependencies:

1. Go to Policies > SBOM and select Malicious Dependencies from the list.

2. Click its toggle switch so the status changes to Off.

1. Confirm the change in the dialog that appears.

After disabling the policy, no new malicious-dependency alerts appear.

Severity calculation for Malicious Dependencies

When OX Security detects a malicious dependency, it automatically assigns a severity rating that helps you prioritize remediation.

Every flagged malicious dependency starts with a Critical rating by default. This ensures you treat all potential supply-chain threats with high urgency.

OX Security evaluates additional factors and may lower severity when certain conditions apply:

• Internal repository: If the package resides in an approved internal registry, the severity may be downgraded.

• Defanged package: When a known malicious component has been neutralized, for example, code execution paths removed, the rating can be reduced.

• No code reference: If the dependency is present but not actually referenced by your application code, the system may lower its impact rating.

Other factors, such as known mitigations in your environment or custom severity rules may also influence the final rating. These adjustments help you focus on the most urgent issues.

When you enable the Ignore application business priority option, OX Security calculates severity using only those three adjustment factors and the original base severity. That final, adjusted rating appears in the Active Issues page.