Vulnerabilities waived through API still showing on scan reports

We are using the Policy Waiver REST API through some internal tooling to automate applying waivers in Sonatype, and we are encountering scenarios where a policy violation on a component has a waiver applied but the component is still being shown in subsequent scan reports as still being vulnerable.

When inspecting the component through the Sonatype Web UI and checking for applied waivers against those violations; it does show the waivers that were created - yet the component is not marked as having any waivers in the report (e.g. no waiver tick, not filterable).

I was wondering if anyone has experienced this and knows of what the issue might be, and if there’s anything we could do to fix this. We are currently unable to rely on the Sonatype scan reports as an accurate representation of all open/unmitigated vulnerabilities because of this.

Hi @chris.rzepa,

Just wanted to note that you can also report your question or issue at to receive licensed customer support, as it seems like you are a licensed customer. This is one of the services your license pays for.