Open Source Visibility Report, Powered by Sonatype's Nexus Lifecycle Solution

Review open source risk information in your dashboard, or in an interactive PDF.

Sonatype Application Overview.Png

Interactive PDF

Policy Alerts

Policy violations shown in this report are based on pre-set, standard policy definitions established by Sonatype. Learn more. Customers of the full Nexus Lifecycle solution are able to customize their policies.

Security Issues

This section identifies the breakdown of vulnerabilities based on severity and the threat level it poses to your application. Severity levels are based on the CVSS ratings.

Dependency Depth

This chart shows how deep within the dependency tree your issues are located.

License Analysis

This section defines the number of licenses detected in each category, including risk classifications.

Policy Violations

Each main row represents a policy, organized by policy threat level. The policy name is provided for easier review.


A policy is made up of constraints, which are a set of rules referred to as conditions. When a component meets the condition (and in turn, the constraint) a violation occurs. Here are the values for the conditions that have been met.


Here are Maven coordinates for the components that violate the pre-set, standard policies included in your report. In this sample, seven components have violations to "Security- Medium Policy"

Security Issues

Review and investigate any security vulnerabilities found in the components in your application.


The "status" can be managed for both security and license issues. This allows your team to triage, research and track items over time and determine which issues are not applicable and should be excluded from the report.

Problem Code

Go directly to the source to drill down on the details for any vulnerability.

License Analysis

Review and investigate license information for every component in your application.

License Threat

Licenses are sorted by threat level with the riskiest at the top. License are categorized as Copyleft (red), Non-standard or Not Provided (orange), Weak Copyleft (yellow) and Liberal (blue).


This section lists the specific components found in an application, also known as an application "bill of materials."


If the component is known, then we will display the Maven coordinate. If it is unknown or proprietary, then we will display the path and filename of the component as it exists in your application.

Match State

Represents whether or not a match could be found with a component in the (Maven) Central Repository. Exact matches mean the component is in Central. Similar means there are characteristics of the component siilar to component(s) in Central.