SBOM Policies
SBOM policies control the quality, safety, and compliance of third party libraries. The policies validate dependency and artifact metadata including completeness, accuracy and licensing compliance across the supply chain.
The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the Policies article.
SBOM policy categories
License
Unapproved license detected by 3rd party security app
Detects components identified by an integrated third-party security tool as using licenses that are not approved by your organization.
License
Unapproved license used by direct dependency in code
Checks direct dependencies in the codebase for licenses that are not approved by your organization.
License
Unapproved license used by indirect dependency in code
Checks indirect (transitive) dependencies for licenses that are not approved by your organization.
License
Unapproved license used in forked open source
Checks forked open-source projects for licenses that are not approved by your organization.
Maintenance
Deprecated direct dependency in code
Identifies direct dependencies in the codebase that are marked as deprecated by their maintainers.
Maintenance
Deprecated indirect dependency in code
Identifies indirect dependencies that are marked as deprecated by their maintainers.
Maintenance
Outdated direct dependency in code
Detects direct dependencies that do not use the latest available versions.
Maintenance
Outdated indirect dependency in code
Detects indirect dependencies that do not use the latest available versions.
Maintenance
Unpopular direct dependency in code
Identifies direct dependencies with low adoption or usage signals in the ecosystem.
Maintenance
Unpopular indirect dependency in code
Identifies indirect dependencies with low adoption or usage signals in the ecosystem.
Maintenance
Unused direct dependency in code
Detects direct dependencies that are declared but not referenced in the codebase.
Malware
Dependency confusion: organization scope in code
Detects dependency confusion risks where public packages may override organization-scoped packages.
Malware
Dependency confusion: private package in code
Detects dependency confusion risks involving private packages that may be shadowed by public packages.
Malware
Malicious dependency in code
Identifies dependencies that are known or suspected to contain malicious code.
Malware
Typosquatting dependency in code
Detects dependencies with names that closely resemble popular packages and may indicate typosquatting.
Malware
Untrusted source for dependency in code
Identifies dependencies that are downloaded from sources not approved or trusted by your organization.
License policies
For license policies, see the article License policies.
Maintenance policies
Open each policy to view the business impact and optional settings.
Deprecated direct dependency in code
Purpose: Identifies transitive dependencies in the codebase that are marked as deprecated by their maintainers.
Business impact: Utilizing libraries that are deprecated increases security and compatibility risks because they are no longer maintained.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Deprecated indirect dependency in code
Purpose: Identifies transitive dependencies in the codebase that are marked as deprecated by their maintainers.
Business impact: Unused dependencies in code add risk and waste resources. Remove them to reduce your attack surface. Removal lowers maintenance effort, avoids hidden vulnerabilities, and improves build performance.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Outdated direct dependency in code
Purpose: Identifies direct dependencies in the codebase that are outdated.
Business impact: Outdated libraries block access to security fixes and improvements. Open source projects update their packages often, and older versions may contain known vulnerabilities. Update your dependencies regularly to keep your code secure and stable.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Compare (dropdown)
Major version: When selected there is no violation if the latest version of a library is just a minor version change.
Current setting
Major version draft
A violation occurs only if the difference between the latest major version and the deployed major version is greater than or equal to the drift.
Current setting
Days since update
Days that a library that has a newer version can remain without being updated.
Calculation
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Outdated indirect dependency in code
Purpose: Identifies transitive dependencies in the codebase that are outdated based on either drift from the latest major version or the number of days since the last update was released.
Business impact: Outdated libraries block access to security fixes and improvements. Open source projects update their packages often, and older versions may contain known vulnerabilities. Update your dependencies regularly to keep your code secure and stable.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Compare (dropdown)
Major version: When selected there is no violation if the latest version of a library is just a minor version change.
Current setting
Major version draft
A violation occurs only if the difference between the latest major version and the deployed major version is greater than or equal to the drift.
Current setting
Days since update
Days that a library that has a newer version can remain without being updated.
Calculation
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Unpopular direct dependency in code
Purpose: Identifies direct dependencies in the codebase that have low adoption or limited community usage.
Business impact: Libraries with very few users increase risk because the libraries receive less review and slower updates. Choose popular libraries to reduce security and reliability risks. Widely used libraries tend to be more stable and better maintained.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Stars count
Minimum number of stars. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Downloads count
Minimum number of downloads. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Forks count
The minimum number of forks. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Unpopular indirect dependency in code
Purpose: Identifies indirect dependencies with low adoption or usage signals in the ecosystem.
Business impact: Libraries with very few users increase risk because the libraries receive less review and slower updates. Choose popular libraries to reduce security and reliability risks. Widely used libraries tend to be more stable and better maintained.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Stars count
Minimum number of stars. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Downloads count
Minimum number of downloads. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Forks count
The minimum number of forks. A violation occurs only when all arguments (forks, stars, downloads if available) are violated.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Unused direct dependency in code
Purpose: Detects direct dependencies that are declared but not referenced in the codebase.
Business impact: Unused dependencies increase security and maintenance risk. Remove them to reduce your attack surface, lower maintenance effort, avoid hidden vulnerabilities, and improve build performance.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Malware policies
Open each policy to view the business impact and optional settings.
Dependency confusion: organization scope in code
Purpose: Detects dependency confusion risks where public packages may override organization-scoped packages.
Business impact: A violation increases the chance that builds install a public package that impersonates an internal one. This can lead to unauthorized code execution, data exposure, service disruption, and full compromise of internal workloads. It also weakens supply chain controls and increases the effort needed to detect and recover from malicious package substitution.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore internal package scopes
Add package names
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Dependency confusion: private package in code
Purpose: Detects dependency confusion risks involving private packages that may be shadowed by public packages.
Business impact: A violation increases the risk that builds install a public package that uses your internal organization scope. Attackers use this naming collision to run unauthorized code, leak sensitive data, or disrupt services. As your organization increases the use of open source, the negative impact from attacks increases.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore internal package scopes
Add package names
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Malicious dependency in code
Purpose: Identifies dependencies that are known or suspected to contain malicious code.
Business impact: A violation increases the risk that your codebase includes a dependency that contains harmful or hostile code. A malicious dependency can steal data, execute unauthorized commands, move laterally inside your environment, or take over VMs and workloads. It also weakens supply chain security and increases the effort needed to detect, contain, and recover from an intrusion.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
ON
Typosquatting dependency in code
Purpose: Detects dependencies with names that closely resemble popular packages and may indicate typosquatting.
Business impact: A violation increases the chance that developers install a package that impersonates a trusted dependency. A typosquatting package can run malicious code, steal data, move laterally inside your environment, or take over workloads. It also weakens supply chain security and raises the risk of unnoticed compromise during development or build processes.
ON/OFF (toggle)
Enable/disable the policy.
ON
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Ignore internal package scopes
Add package names
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Untrusted source for dependency in code
Purpose: Identifies dependencies that are downloaded from sources not approved or trusted by your organization.
Business impact: A violation exposes applications to malicious code, data theft, and unauthorized access. Untrusted sources can introduce harmful dependencies into the supply chain and compromise systems or disrupt services. Use only verified and trusted repositories to protect the integrity of your builds.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Show issues of severity (dropdown)
Limits which severities appear as issues.
OX severity setting
Whitelisted sources
Click to add a URL.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Java and JS/TS projects are supported.
Open the Active Issues page.
Use the Category filter and select the policy category to view related active issues.
Use the Policy filter to narrow the list to a specific policy.
Apply the Category and Policy filters separately or together, depending on how specific you want the results to be.
Use the search box to refine results, such as filtering by file name, keyword, or rule identifier.
You can also use the Issues filter on the SBOM page.
When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one.
To save the current profile, click SAVE in the page header.
To create a new profile, click SAVE AS in the page header. For instructions, see the section Create or edit policy profiles in the Policies article.
Last updated