Skip to content

Dependency Vulnerabilities

Understand and reduce risk from third‑party open‑source packages

The Dependency Vulnerabilities feature highlights known security issues in your dependencies and summarizes the overall risk with a simple score.

Where to find it

  • In the repository page, section “Quality & Compliance”, open the card “Dependency Vulnerabilities”.
  • The card shows a single score (0–100). Click it to open the detailed slide‑over.

How to read the score

  • The score ranges from 0 to 100. Higher is better (lower risk).
  • It reflects two things:

1) how many vulnerable dependencies affect your current versions

2) how severe those vulnerabilities are.

Tip

Treat the score as a guide for prioritization. A drop usually means newly discovered issues or outdated packages that need upgrading.

What the details show

  • A quick summary: total affected vulnerabilities, number of components analyzed, and when the SBOM (dependency inventory) was generated.
  • A severity breakdown: counts of Critical, High, Medium, and Low issues.
  • A table of vulnerable components with:
  • Package and version
  • Severity and identifiers (GHSA/CVE)
  • Affected version range and the first patched version
  • Affected status (whether your current version is impacted)

How the score is calculated (in plain language)

  • Each vulnerability has a severity (Critical, High, Medium, Low) and sometimes a CVSS score (0–10). More severe issues count more.
  • We combine these into a single “risk” value and normalize it by the number of components in your SBOM, so large repositories aren’t unfairly penalized.
  • The result is converted to a 0–100 score where 100 means no risk detected.

Weights by severity:

  • Critical = 1.0
  • High = 0.7
  • Medium = 0.4
  • Low = 0.2

Let affected findings be F. For each finding f in F with severity s and CVSS score cvss (0–10):

1) Compute weighted risk contribution: contribution(f) = weight(s) × min(cvss, 10)

2) Sum over all affected findings: total_risk = Σ contribution(f)

3) Normalize by the number of components in the SBOM (N_components ≥ 1): normalized_risk = total_risk / N_components

4) Convert to a score in [0, 100]: score = max(0, 100 − K × normalized_risk)

Where K is a scaling factor calibrated for legibility. In GitPulse, K = 15.0.

Formula

contribution(f) = weight(s) × min(cvss, 10)

total_risk = Σ contribution(f)

normalized_risk = total_risk / N_components

score = max(0, 100 − K × normalized_risk)

Note

Your score can improve immediately by upgrading to patched versions, especially for Critical and High‑severity issues.

Best practices and actions

  • Start with Critical and High vulnerabilities. Plan upgrades to the “first patched” versions shown.
  • Review Medium and Low issues regularly to prevent risk from accumulating.
  • Keep the SBOM fresh: re‑generate it after dependency updates to reflect the latest state.