SCA Vulnerabilities

- Block Pull-Requests: Toggle to enable automatic blocking of pull requests based on configured vulnerability rules
- Dependency Filtering: Select which dependencies to monitor by type (Direct, Transitive), environment (Production, Development, Test), and documentation
- Severity Controls: Choose which severity levels (Critical, High, Medium, Low) will trigger blocking
- Reachability Options: Filter vulnerabilities based on whether they’re directly accessible in your code
- Fixability Settings: Control blocking based on whether automated fixes are available for detected issues
- CVSS Score Thresholds: Set minimum score requirements for different CVSS versions (V2, V3, V4) and EPSS using sliding scales
Dynamic Risk

- Risk Weighting System: Adjust weights for factors used in calculating Dynamic Risk scores:
- CVSS Weight: Prioritize based on vulnerability impact and severity
- EPSS Weight: Prioritize based on exploitation likelihood
- Reachability Weights: Assign importance to whether vulnerabilities are accessible from your code
- Weighting Strategy: Choose how EPSS percentiles are calculated:
- Linear: Equal importance to all high percentiles
- Quadratic: Greater emphasis on very high-risk vulnerabilities
- Cubic: Almost exclusive focus on the most likely-to-be-exploited vulnerabilities
License Compliance

- License Safety Policy: Define which categories of licenses are acceptable for your team
- SPDX License List: DeepSource uses the SPDX License List as the canonical source for license identifiers
- License Category Rules: Set policies for different license categories:
- Non OSI Approved Licenses: Mark licenses not approved by the Open Source Initiative as safe or unsafe
- Non FSF Free/Libre Licenses: Control usage of licenses not recognized by the Free Software Foundation
- SPDX Deprecated Licenses: Manage the use of licenses that have been deprecated in the SPDX standard
- Custom License Lists: Create and manage custom rules for specific licenses
- Custom Safe Licenses: Add specific SPDX identifiers that should always be deemed safe
- Custom Unsafe Licenses: Add specific SPDX identifiers that should always be deemed unsafe