Repository Component Details Page
Click on an individual component on the Repository Results page (or in the Sonatype Repository Firewall) dashboard to view the Component Details Page. The top section of the component details page contains links to access:
Policy Violations: View all policies violated by the selected component, and view existing or apply new waivers for the component.
Security: View all security policies violated by the selected component, view the component vulnerabilities, and view existing or apply waivers for the component.
Legal: View the effective, declared, and observed licenses for the component, legal policy violations, review the legal obligations and view existing or apply waivers for the component.
Labels: Assign and manage labels for the selected component.
The Component Information section contains the match state, identification source, and other component data. Click on View Coordinates button to find out the exact component coordinates.
Clicking on the Re-evaluate Component button will evaluate policies on this component. When re-evaluating a quarantined component, if the new evaluation does not have policy evaluations, the component is released from quarantine.
The Risk Remediation section contains the version of the component that is recommended for safe use by our research team.
The Compare Versions table contains a comparative analysis of the current and selected component versions, to help decide the remediation action.
Compare Versions table:
Component Profile | What it means |
---|---|
Version | The version no. of the component |
Highest Policy Threat | The highest threat level policy that has been violated, as well as the total number of violations. The value may be NA if all threats have been waived. |
Security Violation Threat | The security violation threat level. |
Highest CVSS Score | The highest threat level security vulnerability and the total number of security vulnerabilities. The value may be NA if all threats have been waived. |
License Violation Threat | The license violation threat level. |
Effective License | Any licenses included in the Declared or Observed Group, or the overridden license. |
Quality Violation Threat | The quality violation threat level. |
Other Violation Threat | Other violation threat level. |
Integrity Rating | The level of suspiciousness (Suspicious, Normal) of this version as determined by our machine-learning intelligence. Versions that are marked suspicious may be malicious. The value may be Not Applicable if no integrity data is applicable. |
Cataloged | The age of the component based on when it was first added into the source from which it was identified. |
First Evaluation | Date when the component was first evaluated. |
Latest Evaluation | Latest evaluation date for the component. |
Quarantined | Date when the component was quarantined. |
Released from Quarantine | Date when the component was released from quarantine. |
Waiving Repository Policy Violations
Policy violations for components found in your repositories can be waived with multiple options for the scope and target of the waiver. To waive violations, verify that your assigned role has the permission: Waive Policy Violation.
View/Remove Existing Waivers
Click on Policy Violations tab (or Security or Legal tab) for the repository component.
To review all existing waivers that apply to this component, click on View Existing Waivers button.
Review and delete the component waiver, if needed and close the page.
Add a new Component Waiver
On the Policy Violations (or Security or Legal) tab, scroll over to the row that displays the violation. Click on the caret-right icon to open the Violation Details page.
Click on Manage Waivers button.
To create a new waiver, click the Add Waiver button. ReferAdding a Waiver for more information.
The available options for the Scope of component waivers are Repository, All Repositories, or the Root Organization.
Click Waive to complete the waiver creation.
Note
Waivers are applied the next time policies are evaluated for the affected components.