Skip to main content

Dependency Tree

Users with IQ Server version 132 and above can access the Dependency Tree page. This view displays the report's Direct and Transitive components as a dependency tree sorted by threat level.

Note

The Dependency Tree is only available for npm, Maven, Cargo, and applications with a CycloneDX SBOM that includes dependency information.

103907719.png

Dependency tree visualization for Cargo is now supported. To set it up correctly, ensure that both your Cargo.lock and Cargo.toml files are in the same directory. This feature requires Sonatype IQ CLI version 2.0 or higher.

Note

Older reports might not have the dependency info and need to be re-scanned (not re-evaluated).

Access the Dependency Tree

From the Application Composition Report, click the "View Dependency Tree" button above the Policy Violations Table.

108960997.png

Additional Dependency Tree features

Sorting

Note

Threat level indicators match the threat level colors in the Application Composition Report.

Dependencies in the Dependency Tree are sorted (descending) according to the threat level within their nested level.

100140614.png
100140612.png

Filtering

Note

Note that the filter functionality is case-insensitive.

You can filter the Dependency Tree using a search term. The dependency tree will filter and all matches will be highlighted.

103907720.png

Component Details Page navigation

When you select a dependency, you are redirected to the Component Details Page for that dependency.