Skip to main content

Sonatype for Visual Studio 2022

Sonatype’s Integrated Development Environments (IDE) extensions provide development teams with direct access to Sonatype's comprehensive component intelligence. The Visual Studios 2022 integration enables a true Shift-Left in application security for development teams by putting security into the development workflow, allowing developers to build secure applications quickly.

Sonatype for Visual Studio 2022 Extension provides component analysis for both the Community, Professional, and Enterprise versions of Visual Studio.

New functionality in Visual Studio 2022

The Sonatype for Visual Studio 2022 extension has complete parity with the previous IQ for Visual Studio 2019 plugin. Expanded and new features found only in this version are listed in the Support Features section below.


  • This extension works with Visual Studio 2022 on Windows and Linux (if your Visual Studio can run on Linux using other extensions)

  • It is not supported for Visual Studio on macOS

  • It supports both the Light and Dark themes available in Visual Studio 2022

Project Reference Managers

Projects will need to be opened using a PackageReference or the older packages.config format to be analyzed.

External Libraries

At this time, the extension only supports the locally installed project cache libraries.

Installing Sonatype for Visual Studio 2022

IQ for Visual Studio 2022 can be installed from within Visual Studio using the Extensions Manager or via the Microsoft Visual Studio Marketplace.

Opening Sonatype for Visual Studio 2022

You can access the extension by navigating the menu for View -> Other Windows -> Sonatype

Configuring Sonatype for Visual Studio 2022

The Sonatype IQ options are available from within the Visual Studio options dialog.

Authorization using IQ Server Credentials

A URL, Username, and Password may be entered to connect the extension to fetch data from the IQ Server. The Connect button is used to verify the connection:


Select the appropriate application as configured in the Sonatype IQ server. This is required to use the appropriately scoped policy set for your application.

Using Certificate Authentication

The extension supports using a certificate for authentication.

Clicking the Select button, next to the Certificate field, will open a security dialog. By selecting a certificate, typed credentials will empty out and the certificate will be used for authentication. To revert and use typed credentials, fill in the username and password fields.


Windows Security prompt will display options from the Personal Certificates store. Managing this store is accomplished by using MMC and the Certificates Snap-In. To provide additional choices, right-click the Certificates folder and follow the prompts to install a certificate. Note: Ensure the Trusted Root Certificate Authorities store contains a record for the IQ Server reverse proxy.


Restarting Visual Studio and the Sonatype for Visual Studio extension will open a certificate prompt to establish a secure connection.

Using Sonatype for Visual Studio 2022

The Sonatype for Visual Studio tool window is accessed by clicking the Sonatype Developer tab on the bottom tool strip of Visual Studio. It is also available in View under Other Windows.

Once configured and the component analysis is completed, a component view will be displayed. Component versions and details are available by clicking on the component name in the Component list.


Review the Component Info View for details on the returned Policy Threat levels.

Supported Features

Extension Management Icons

  • Configuration: The configuration is managed under the gear icon on the left-hand side of the extension window.

  • Running Analysis: To run or refresh the analysis you can click on the play button next to the configuration. Allow for a few minutes for the analysis to complete.

  • Filter Results: The filter icon allows you to focus on a specific set of results. See details below.

  • Sorting: By default, the component list is not sorted but you can sort the result by clicking on any of the table headers.

Migrate to Selected

The "Migrate to Selected" button allows you to update your project dependencies for any Nuget direct dependencies without leaving the extension. The button will remain disabled until a supported version upgrade has been selected. Currently, npm components and transitive dependencies are not supported. Likewise, the button will be greyed out for the currently installed version.

Component Dependency Types

The components in the component display are labeled with the [D] and [T] prefixes to denote Direct and Transitive dependencies respectively. Transitive dependencies are the components brought into the application from the project's directly referenced dependencies.

Find Usage

Right-clicking a component from the components display shows the context menu. The option to 'Find Usage' will display the projects from which the component is requested. This is useful for multi-module projects to know which project was referencing this dependency.


Selected Component Details

The selected component from the component display includes a button to access more details regarding the violations associated with the component. The opened window includes; Policy Violations, License Analysis, and Security Issues. Known CVEs are listed as Problem Codes that are linked to violation details in the IQ Server.


Component Filter

The component filter is accessed to the left of the component display. This filter is used to sort the list of components to the component's dependency type or the severity of the component's highest violation.


Support for both Light and Dark Themes

The extension is compatible with either Light or Dark themes found in Visual Studio 2022. The Blue theme will render the same as the Light theme.


Release Notes




October 10, 2022


  • Removing the preview mode on the extension and making all features available

October 1, 2022


  • Support for basic username/password and PKI authentication methods

  • Scan project dependencies for the NPM project and NuGet solutions

  • Run vulnerability scanning on non-proprietary components for both NPM and NuGet ecosystems

  • Sort functionality for components by policy violation severity, name, and version

  • Filter functionality for transitive dependencies and policy violation severity

  • Showing recommendations for the next version with no policy violations

  • Showing all available versions for analyzed component

  • Capability to migrate to a newly selected version for a specific direct dependency

  • Components detail window where we show Policy Violations, License Analyses, and Security Issues

  • Displaying errors when not being able to connect with IQ or scan dependencies

  • Capability to pause vulnerability analysis and restart it afterward

  • All components matching themes with the editor

  • Added a threat indicator for enhanced visualization.

  • The component detail window now matches the selected version from version history.

  • Migration errors are now displayed in the output window.

  • Solution errors have been added to the info bar.

  • The version history table row now defaults to the installed version.

  • Implemented a default view for when no component is selected.

  • The version detail panel is now scrollable.

  • The component detail panel displays dates instead of long numbers.

  • "None" is now displayed instead of "Unknown" in filter options.

  • Fixed messaging when attempting to migrate a non-NuGet package.

  • Corrected the icon in the command option.

  • The "Find Usage" can identify which project is using a particular component.

  • Cleaning up data when a new project is loaded.

  • Fixing error messaging for different scenarios.

  • Correctly loading application data after opening the IDE.