Portfolio Security Vulnerabilities Activity - Rating Mismatch

Portfolio Security Vulnerabilities Activity Custom Graph shows a Security Rating of A even though there is one critical vulnerability. An A Rating is supposed to be for 0 vulnerabilities. This is for Overall code.


Welcome to the community and thanks for this report!

What’s your SonarQube version?


Hi Ann,
It’s version 9.8 Enterprise Edition.


Could you upgrade to 9.9 - the latest version and current LTS - and see if this is replicable, please?



I believe that at Portfolio level there is no problem in what you are describing. The Portfolio Ratings use averages and don’t take the worst rating of underlying projects. The idea of Portfolios is to share the big picture. In your case, you are globally good, this is why you have a A Rating. Still, you are at risk on one project that is highlighted in the Risk section.

If we were applying the same logic than at Project level, there is a great chance that your Portfolios will always be red with E Rating.


1 Like

Thank you Alex. That seems to be what it is. I grouped the same projects into an Application and I see the Rating go down.