Component Details Page
Table of Contents
The Component Details Page is where you can drill down on individual components that appear in your scanned applications, along with the policy violations associated with them.
At the top of the Component Details Page, underneath the name of the component, are a few important details, including the hierarchy location of the application that was scanned and a timestamp for when the report was generated.
Underneath, you'll see tags, which are color-coded identifiers that can help you rapidly determine some important biographic and relational information about the component. A list of possible tags are below.
|Indicates the ecosystem the component is sourced from, if applicable.|
|Indicates the component is a direct dependency.|
|Indicates the component is a transitive dependency.|
|Indicates the component is an innersource dependency.|
|Indicates the component is an innersource direct dependency.|
|Indicates the component is an innersource transitive dependency.|
If the component has any Labels applied to it, they'll be included with the tags. You can identify labels by the icon at the start of the identifier, like in the example below.
Component Information Section
In the Component Information section, you'll some see some basic information about the component. The table below outlines the details provided by the Component Information section.
|Cataloged||The age of the component based on when it was first added into the source from which it was identified.|
|Match State||How the component was matched in comparison with IQ Server's database of extant components (exact, similar, or unknown)|
The number of times the component was found in the application. Click the link to see the paths where the component was found. This information is provided to help you detect accidental shipping of duplicate component archives or a misconfiguration of your actual report creation target.
What is the component identification based on:
What the component is used for, as categorized by Sonatype. Possible values include designations like "Data Protocols," "Logging," "Networking Utilities," etc. This is the same Category that can be used to set a policy's Constraint.
Note that details on the left side of the section are contextual to the ecosystem from which the component was drawn. For example, a component from Maven will show "Group" and "Artifact" identifiers, but a component from npm will show the "packageId" identifier instead.
Risk Remediation Section
Recommended Remediation and Recommended Versions
TheRecommended Remediation section outlines steps you can take to remediation policy violations. If the component is a transitive dependency of another component, you can see that component here. Click the automatically generated link to go to the Component Details Page for that component.
TheRecommended Versions section shows non-violating versions of the same component. Click the "Compare" button to automatically select that version in the Version Explorer and populate the right-hand side of the Compare Versions table.
If another version of the component exists that would still cause a policy violation but which would not cause a build failure, that version will also be recommended. None of the violations caused by this recommended version would fail the build for a given stage.
The allows you to quickly view details about other versions of the component. The current component is indicated by the vertical gray bar. The popularity of the component is indicated by the green bars at the top. The more popular a component is, the larger the bar.Version Explorer
Color markers show expected policy violations. The colors here match the policy violation colors you see elsewhere in IQ Server. For expected policy violations, red markers indicate a very high risk level, while orange, yellow, and blue markers indicate lower risk levels. No marker indicates no threat.
Breaking Changes also appears in the Version Explorer. Yellow, orange, and red markers indicate increasing numbers of breaking changes, while blue markers indicate no breaking changes. Note that Breaking Changes is currently only available for the Maven ecosystem.
TheCompare Versions table is new with the Component Details Page. In the left-hand column are details about the component currently being used in your application. If you click another version of the component in the Version Explorer, or click "Compare" in the Recommended Versions section, information about that version of the component will populate in the right-hand column. This allows you to rapidly and thoroughly compare your original component with possible replacements.
The table below outlines the details provided in the Compare Versions table.
|The version number of the selected component.|
|Highest Policy Threat||The highest threat level policy that has been violated, as well as the total number of violations. The value may be NA if all threats have been waived.|
|Highest CVSS Score||The highest threat level security vulnerability and the total number of security vulnerabilities. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any security policies.|
|License Violation Threat||The highest threat level license policy violation and the total number of license policy violations. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any license policies.|
Licenses included in the Declared or Observed Group, or the overridden license.
See Component License Information to learn about the difference between Declared and Observed licenses.
|Quality Violation Threat||The highest threat level quality policy violation and the total number of quality policy violations. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any quality policies.|
|Other Violation Threat||The highest threat level other violations and the total number of other violations. The value may be None if the component hasn't violated any other policies|
The quality (Laggard, Exemplar, None) of an open-source project. This is calculated based on the projects that exhibit the best and worst behaviors to producing quality open-source software.
The level of suspicion (Suspicious, Normal) of this version as determined by our machine-learning intelligence. Versions that are marked suspicious may be malicious. The value may be Not Applicable if no integrity data is applicable.
|Catalogued||The age of the component based on when it was first added into the source from which it was identified.|
Dependency Tree section
The Dependency Tree section lets users analyze dependency relationships within a subtree of the Application Composition Report Dependency Tree. The subtree is comprised of all occurrences of the current component, its ancestors, and its descendants.
Clicking on a dependency takes the user to the Component Details Page for that component.
Policy Violations Tab
The Policy Violations tab shows all policy violations associated with the component. Clicking on the "Existing Waivers" button on the right will show a section that lists any active waivers associated with this component.
Violation Details Popover
Clicking on a violation in the Policy Violations tab brings up the Violation Details popover. Here, you can see more information about the violation, includingwhen it was first and last reported, the stage of the build where the policy violation was found, and which part of the organization hierarchy owns the policy.
The Policy Constraint section shows exactly how IQ Server's knowledge about the component is interacting with the policy in question. Thebullet point is a Condition, which you can think of as if part of the if/then statement. In the same way, a Constraint is just a grouping of active Conditions. In the example you see above, the Constraint consists of just one condition, and that condition is the presence of a security vulnerability.
If the policy violation isn't security related – for example, if the policy is about licensing or architecture – then the Violation Details popover ends here.
But if the policy violation is security related, thenat the bottom of the window, the vulnerability is described in more detail. Details are pulled from applicable sources, like the National Vulnerability Database and Sonatype's own proprietary research, in order to describe why the component is vulnerable and how it could be exploited.
Importantly, theManage Waivers button is how you'll request waivers for a component. If you're authorized, it's also where you'll add waivers.
Underneath the Manage Waivers button, you can see how many active waivers are associated with the component without needing to click.
The Security and Legal tabs are new in the Component Details Page. They are for Security and Legal team members who want a focused look at only the issues pertaining to their role. The Security and Legal tabs can be thought of as condensed, specialized offshoots of the Policy Violations tab.
In the Security tab, you can view a list of Security Violations. No other violations are displayed in this tab. Likewise, in the Legal tab, you can view the License Detections box, which shows the Effective and Declared Licenses of the component, and a list of Legal Policy Violations. No other violations are displayed in this tab. Just like in the Policy Violations tab, clicking a violation brings up the Violation Details window.
The Security and Legal tabs are also where you can edit and manage Statuses for the component. Learn more about Statuses at this link.
The Labels tab allows you to assign and manage labels to the component. Learn more about labels in IQ Server here.
If a component found during a scan is given a match state of Unknown or Similar, you can use the Claim tab to manually add details about it.
Audit Log Tab
When a user makes changes to the Status of a security vulnerability or the Status of a component’s license within the scope of a particular application, that information is recorded in the Audit Log.
Typically, resolving policy violations by changing a component's Status is riskier than using Waivers, because status changes are more difficult to track. When possible, use Waivers to accept the risk of a policy violation.
Next Component/Previous Component
At the bottom of the Component Details Page and frozen to the bottom of your browser window are buttons to take you to the next or previous component listed in the Application Composition Report, just as if you had used your browser's Back button and manually selected the next or previous component in the list.
Moving through the list of components in this way duplicates the "Aggregate by component" filtering option. This means that components only appear on the list once, regardless of how many policy violations they're associated with.