Proprietary Component Configuration

Proprietary components are unique or internal to your organization. When you evaluate an application that uses proprietary components, IQ Server is unlikely to find data about those components; they are probably listed under “Unknown” on the Policy Violations table in the Application Composition Report. However, you can configure IQ Server to recognize those components as proprietary.

When you configure proprietary components, you use system hierarchy levels to set the scope for identifying the components:

  • Root Organization - Identifies proprietary components in every organization and application.
  • Organization - Identifies proprietary components in a particular set of applications.
  • Application - Identifies proprietary components in a single application.

You also specify a string search pattern called a proprietary component matcher that IQ Server uses to find proprietary components. Components matching a proprietary matcher can be observed in the Application Composition Report by using the Proprietary filter in the sidebar. There are two types of proprietary component matchers: Package and Regular Expression, which are described below.

Note: Changes to proprietary component configuration will not be reflected during report re-evalatuions. Re-scanning will be needed to for them to take effect.

Package Matchers

For Package, you specify a package name, for example, com.sonatype. In this case, all components that contain a package com/sonatype will be marked as proprietary. You should be as specific as possible, for the provided package is compared greedily against your scanned binaries. For instance, com.sonatype will match all of the following content locations:

  • com/sonatype
  • com/sonatype/anything
  • com/sonatype/anything/more
  • shaded/and/relocated/com/sonatype
  • shaded/and/relocated/com/sonatype/anything

On the other hand, the following locations will not be matched:

  • org/sonatype
  • com/sonatypestuff
  • com/sonatypestuff/anything

Regular Expression Matchers

For Regular Expression, you specify a regular expression that will be compared against the paths of all files scanned. If a file is found in the path, it is flagged as proprietary. For example, test\.zip will recognize anything in the top level directory named as proprietary. If you wanted to find nested anywhere in the scanned binaries, use .*/test\.zip.

Occurrences inside an identified archive will make the binary proprietary as well. For example, if a proprietary .zip is found inside a .jar, the .jar is also considered proprietary.

For more information on regular expressions, see Oracle’s Java documentation.

To configure proprietary components:

  1. Click the Organizations & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select the desired organization or application.
  3. In the Policies section, under Proprietary Component Configuration, click the chevron next to the number of matchers (local and/or inherited).
  4. In the Proprietary Component Configuration view, add or remove matchers as desired. To add, select a Package or Regular Expression matcher type and enter a string search value. To remove, click the Delete icon (looks like a trash can) for items in the Local section.
  5. Click Update to modify IQ Server’s list of proprietary component matchers for the selected organization or application.

Usage Suggestions for Proprietary Components

Once proprietary components are configured, you can use a policy to prevent them from triggering policy violations. There is an example of this in the Reference Policy Set; the Component-Unknown policy has the following constraint:

The policy is in violation if all of the following are true:

  • Match State is Unknown
  • Proprietary is false

This constraint excludes proprietary components from triggering policy violations.

Regular expression matchers with manifest coordinates matching

Since version 58, IQ server includes various manifest file scanning and coordinate based matching support. If a proprietary component regular expression is configured and a component in a manifest file matches the configured pattern, the component will be excluded from identification automatically. Any proprietary component that does not match any of the configured patterns above will be included for matching. Prior to version 95 any such component will be marked as unknown in the resultant report. Since IQ version 95 all such components will be marked as Package Manifest identified.