# SBOM Policies SBOM policies control the quality, safety, and compliance of third party libraries. The policies validate dependency and artifact metadata including completeness, accuracy and licensing compliance across the supply chain. The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the [Policies ](https://docs.ox.security/ox-policies)article.
## **SBOM policy categories**
CategoryPolicyDescription
LicenseUnapproved license detected by 3rd party security appDetects components identified by an integrated third-party security tool as using licenses that are not approved by your organization.
LicenseUnapproved license used by direct dependency in codeChecks direct dependencies in the codebase for licenses that are not approved by your organization.
LicenseUnapproved license used by indirect dependency in codeChecks indirect (transitive) dependencies for licenses that are not approved by your organization.
LicenseUnapproved license used in forked open sourceChecks forked open-source projects for licenses that are not approved by your organization.
MaintenanceDeprecated direct dependency in codeIdentifies direct dependencies in the codebase that are marked as deprecated by their maintainers.
MaintenanceDeprecated indirect dependency in codeIdentifies indirect dependencies that are marked as deprecated by their maintainers.
MaintenanceOutdated direct dependency in codeDetects direct dependencies that do not use the latest available versions.
MaintenanceOutdated indirect dependency in codeDetects indirect dependencies that do not use the latest available versions.
MaintenanceUnpopular direct dependency in codeIdentifies direct dependencies with low adoption or usage signals in the ecosystem.
MaintenanceUnpopular indirect dependency in codeIdentifies indirect dependencies with low adoption or usage signals in the ecosystem.
MaintenanceUnused direct dependency in codeDetects direct dependencies that are declared but not referenced in the codebase.
MalwareDependency confusion: organization scope in codeDetects dependency confusion risks where public packages may override organization-scoped packages.
MalwareDependency confusion: private package in codeDetects dependency confusion risks involving private packages that may be shadowed by public packages.
MalwareMalicious dependency in codeIdentifies dependencies that are known or suspected to contain malicious code.
MalwareTyposquatting dependency in codeDetects dependencies with names that closely resemble popular packages and may indicate typosquatting.
MalwareUntrusted source for dependency in codeIdentifies dependencies that are downloaded from sources not approved or trusted by your organization.
## License policies For license policies, see the article [License policies.](https://docs.ox.security/ox-policies/license-policies) ## Maintenance policies Open each policy to view the business impact and optional settings.
Deprecated direct dependency in code **Purpose:** Identifies transitive dependencies in the codebase that are marked as deprecated by their maintainers. **Business impact:** Utilizing libraries that are deprecated increases security and compatibility risks because they are no longer maintained.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.ON
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Deprecated indirect dependency in code **Purpose:** Identifies transitive dependencies in the codebase that are marked as deprecated by their maintainers. **Business impact:** Unused dependencies in code add risk and waste resources. Remove them to reduce your attack surface. Removal lowers maintenance effort, avoids hidden vulnerabilities, and improves build performance.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.OFF
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Outdated direct dependency in code **Purpose:** Identifies direct dependencies in the codebase that are outdated. **Business impact:** Outdated libraries block access to security fixes and improvements. Open source projects update their packages often, and older versions may contain known vulnerabilities. Update your dependencies regularly to keep your code secure and stable.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.OFF
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Compare (dropdown)Major version: When selected there is no violation if the latest version of a library is just a minor version change.Current setting
Major version draftA violation occurs only if the difference between the latest major version and the deployed major version is greater than or equal to the drift.Current setting
Days since updateDays that a library that has a newer version can remain without being updated.Calculation
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Outdated indirect dependency in code **Purpose**: Identifies transitive dependencies in the codebase that are outdated based on either drift from the latest major version or the number of days since the last update was released. **Business impact:** Outdated libraries block access to security fixes and improvements. Open source projects update their packages often, and older versions may contain known vulnerabilities. Update your dependencies regularly to keep your code secure and stable.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.OFF
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Compare (dropdown)Major version: When selected there is no violation if the latest version of a library is just a minor version change.Current setting
Major version draftA violation occurs only if the difference between the latest major version and the deployed major version is greater than or equal to the drift.Current setting
Days since updateDays that a library that has a newer version can remain without being updated.Calculation
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Unpopular direct dependency in code **Purpose:** Identifies direct dependencies in the codebase that have low adoption or limited community usage. **Business impact:** Libraries with very few users increase risk because the libraries receive less review and slower updates. Choose popular libraries to reduce security and reliability risks. Widely used libraries tend to be more stable and better maintained.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.OFF
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Stars countMinimum number of stars. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Downloads countMinimum number of downloads. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Forks countThe minimum number of forks. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Unpopular indirect dependency in code **Purpose:** Identifies indirect dependencies with low adoption or usage signals in the ecosystem. **Business impact:** Libraries with very few users increase risk because the libraries receive less review and slower updates. Choose popular libraries to reduce security and reliability risks. Widely used libraries tend to be more stable and better maintained.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.OFF
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Stars countMinimum number of stars. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Downloads countMinimum number of downloads. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Forks countThe minimum number of forks. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.Current setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Unused direct dependency in code **Purpose:** Detects direct dependencies that are declared but not referenced in the codebase. **Business impact:** Unused dependencies increase security and maintenance risk. Remove them to reduce your attack surface, lower maintenance effort, avoid hidden vulnerabilities, and improve build performance.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.ON
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
## Malware policies Open each policy to view the business impact and optional settings.
Dependency confusion: organization scope in code **Purpose:** Detects dependency confusion risks where public packages may override organization-scoped packages. **Business impact:** A violation increases the chance that builds install a public package that impersonates an internal one. This can lead to unauthorized code execution, data exposure, service disruption, and full compromise of internal workloads. It also weakens supply chain controls and increases the effort needed to detect and recover from malicious package substitution.
| Setting | Description | Default | | ------------------------------------------------------------------------ | --------------------------------------------------------------------- | ------------------- | | ON/OFF (toggle) | Enable/disable the policy. | ON | | Show issues of severity (dropdown) | Limits which severities appear as issues. | OX severity setting | | Ignore internal package scopes | Add package names | Current setting | | Ignore Application Business Priority for severity calculation (checkbox) | When enabled, severity is not adjusted based on application priority. | OFF |
Dependency confusion: private package in code **Purpose:** Detects dependency confusion risks involving private packages that may be shadowed by public packages. **Business impact:** A violation increases the risk that builds install a public package that uses your internal organization scope. Attackers use this naming collision to run unauthorized code, leak sensitive data, or disrupt services. As your organization increases the use of open source, the negative impact from attacks increases.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.ON
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Ignore internal package scopesAdd package namesCurrent setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.OFF
Malicious dependency in code **Purpose:** Identifies dependencies that are known or suspected to contain malicious code. **Business impact:** A violation increases the risk that your codebase includes a dependency that contains harmful or hostile code. A malicious dependency can steal data, execute unauthorized commands, move laterally inside your environment, or take over VMs and workloads. It also weakens supply chain security and increases the effort needed to detect, contain, and recover from an intrusion.
SettingDescriptionDefault
ON/OFF (toggle)Enable/disable the policy.ON
Show issues of severity (dropdown)Limits which severities appear as issues.OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)When enabled, severity is not adjusted based on application priority.ON
Typosquatting dependency in code **Purpose:** Detects dependencies with names that closely resemble popular packages and may indicate typosquatting. **Business impact:** A violation increases the chance that developers install a package that impersonates a trusted dependency. A typosquatting package can run malicious code, steal data, move laterally inside your environment, or take over workloads. It also weakens supply chain security and raises the risk of unnoticed compromise during development or build processes.
| Setting | Description | Default | | ------------------------------------------------------------------------ | --------------------------------------------------------------------- | ------------------- | | ON/OFF (toggle) | Enable/disable the policy. | ON | | Show issues of severity (dropdown) | Limits which severities appear as issues. | OX severity setting | | Ignore internal package scopes | Add package names | Current setting | | Ignore Application Business Priority for severity calculation (checkbox) | When enabled, severity is not adjusted based on application priority. | OFF |
Untrusted source for dependency in code **Purpose:** Identifies dependencies that are downloaded from sources not approved or trusted by your organization. **Business impact:** A violation exposes applications to malicious code, data theft, and unauthorized access. Untrusted sources can introduce harmful dependencies into the supply chain and compromise systems or disrupt services. Use only verified and trusted repositories to protect the integrity of your builds.
| Setting | Description | Default | | ------------------------------------------------------------------------ | --------------------------------------------------------------------- | ------------------- | | ON/OFF (toggle) | Enable/disable the policy. | OFF | | Show issues of severity (dropdown) | Limits which severities appear as issues. | OX severity setting | | Whitelisted sources | Click to add a URL. | Current setting | | Ignore Application Business Priority for severity calculation (checkbox) | When enabled, severity is not adjusted based on application priority. | OFF | > Java and JS/TS projects are supported.
## View policy issues 1. Open the Active Issues page. 2. Use the **Category** filter and select the policy category to view related active issues. 3. Use the **Policy** filter to narrow the list to a specific policy. 4. Apply the Category and Policy filters separately or together, depending on how specific you want the results to be. 5. Use the search box to refine results, such as filtering by file name, keyword, or rule identifier. ## Create or save policy profiles You can also use the **Issues** filter on the SBOM page. When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one. * To save the current profile, click **SAVE** in the page header. * To create a new profile, click **SAVE AS** in the page header. For instructions, see the section [Create or edit policy profiles ](https://open-2c.gitbook.com/url/preview/site_RHimt/~/revisions/esBak1HVuTgsCEeNbzHE/policies?theme=light#create-or-edit-policy-profiles)in the [Policies ](https://docs.ox.security/ox-policies/policies)article.