Dependency with important known vulnerabilities

A dependency may contain known vulnerabilities that could be exploited by bad actors. Unpatched vulnerabilities add risk to the software.

This detector uses an external tool in the Software Composition Analysis (SCA) domain to find vulnerabilities associated with project dependencies. When the tool reports vulnerabilities satisfying certain conditions for the project, this is reported as a misconfiguration.

For now, the integration available is with Snyk. Please note that an active API token is needed to connect to the Snyk API for fetching known vulnerabilities in your project dependencies.

Additional integrations will be available in the future.

If your project has dependencies, direct or indirect, with important known vulnerabilities, attackers could exploit them.

When possible, upgrade dependencies with vulnerabilities to higher versions that fix them. Follow the procedure recommended by your SCA provider.

If not possible, or if the vulnerabilities are not promptly fixed, consider replacing the dependency with a similar project not showing important vulnerabilities.