Skip to content

Vulnerable Component Ratio is wrong? #1066

New issue
New issue
Open
Open
Vulnerable Component Ratio is wrong?#1066
Labels
buglifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@douglasjunior

Description

@douglasjunior
douglasjunior
opened on Jun 20, 2025

Describe the bug
The documentation for the "Vulnerable Component Ratio" metric is inconsistent with the actual formula it uses, leading to misinterpretation of security metrics.

To Reproduce
The issue can be observed in any project that uses the dependency-check-sonar-plugin:

  1. Run a dependency check scan
  2. View the "Vulnerable Component Ratio" metric in SonarQube
  3. Compare the results with the documentation description

Current behavior
The documentation states:

### Vulnerable Component Ratio

(vulnerabilities / vulnerableComponents)

This is simply a measurement of the number of vulnerabilities to the vulnerable components (as a percentage). A higher percentage indicates that a large number of components contain vulnerabilities. Lower percentages are better.

However, this description is misleading. The formula (vulnerabilities / vulnerableComponents) actually calculates the average number of vulnerabilities per vulnerable component, not the percentage of components that are vulnerable.

Expected behavior
The documentation should be updated to accurately describe what the formula calculates:

### Vulnerable Component Ratio

(vulnerabilities / vulnerableComponents)

This metric represents the average number of vulnerabilities per vulnerable component. A higher ratio indicates that each vulnerable component has, on average, more vulnerabilities. Lower ratios are better.

Alternatively, if the intent is to measure the percentage of components that are vulnerable (as the current description suggests), the formula should be modified to: (vulnerableComponents / totalComponents)

Screenshots
N/A

Versions (please complete the following information):

  • dependency-check: (all versions)
  • sonarqube: (all versions)
  • dependency-check-sonar-plugin: (all versions with this metric)

Additional context
To illustrate the issue with concrete examples:

Example 1:

  • 10 vulnerabilities in 5 vulnerable components
  • Current ratio = 10/5 = 2 (200%)
  • This doesn't mean 200% of components are vulnerable; it means each vulnerable component has an average of 2 vulnerabilities

Example 2:

  • 10 vulnerabilities in 10 vulnerable components
  • Current ratio = 10/10 = 1 (100%)
  • This doesn't indicate fewer vulnerable components than Example 1; in fact, there are more

The current description could lead to incorrect security assessments and prioritization of remediation efforts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    buglifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions