Component Details Page

Lifecycle Developer Features

The Advanced Development Pack (ADP) capabilities have been integrated into the general Lifecycle product. These changes are accessible with IQ Server version 100 and above. For customers with IQ server versions between 100 and 134, your admin may need to re-upload your organization’s existing Lifecycle license or restart the IQ Server to see these additional capabilities.


Overview

Users with IQ Server version 128 and above who click on a component in the Application Composition Report will be brought to the Component Details Page for that component. The Component Details Page is where you can drill down on individual components that appear in your scanned applications, along with the policy violations associated with them.

Version Info

Users with an IQ Server version below 128 will see the old Component Information Panel. Learn more about the CIP and all its features by clicking the link.

Watch a video that outlines the essential changes in the Component Details Page here.

Quick Start: What's Moved

None of the information or functionality of the old Component Information Panel is lost or retired in the new Component Details Page. Here's a quick summary of what's moved and where you can find it.

Component informationComponent information is at the top of the Overview tab. Scroll down to the new Compare Versions table to see more details.
Recommended VersionsGo to the Overview tab and scroll down.
Version ExplorerGo to the Overview tab and scroll down.
WaiversGo to the Policy Violations tab and click "View Existing Waivers" to see a list of existing waivers for that component. While there, click a policy violation and click "Manage Waivers" to see buttons to Request Waiver and Add Waiver. 
LabelsLabels have their own tab. Click the tab to manage labels.

Explanations of Security Vulnerabilities

Go to the Policy Violations tab, find a security policy violation, and click. You can also go to the Security tab, where only security policy violations are shown.


Tags

At the top of the Component Details Page, underneath the name of the component, are a few important details, including the hierarchy location of the application that was scanned and a timestamp for when the report was generated.

Underneath, you'll see tags, which are color-coded identifiers that can help you rapidly determine some important biographic and relational information about the component. A list of possible tags are below.

& others

Indicates the ecosystem the component is sourced from, if applicable.

image2021-7-29_11-53-28.png

Indicates the component is a direct dependency.

 image2021-7-29_11-55-58.png

Indicates the component is a transitive dependency.

image2021-7-29_11-50-48.png

Indicates the component is an innersource dependency.

image2021-8-27_13-32-44.png

Indicates the component is an innersource direct dependency.

image2021-7-29_11-56-33.png

Indicates the component is an innersource transitive dependency.

Learn more about Innersource Insights at this link.

If the component has any Labels applied to it, they'll be included with the tags. You can identify labels by the icon at the start of the identifier, like in the example below.

Changes

Our color-coding is changing to a color palette that's easy to identify at a glance and better on most monitors. You'll see these new colors rollout to other parts of IQ Server soon.

Overview Tab

Component Information Tile

In the Component Information tile, you'll some see some basic information about the component. The table below outlines the details provided by the Component Information tile.

CatalogedThe age of the component based on when it was first added into the source from which it was identified.
Match StateHow the component was matched in comparison with IQ Server's database of extant components (exact, similar, or unknown)
Occurrences

The number of times the component was found in the application. Click the link to see the paths where the component was found. This information is provided to help you detect accidental shipping of duplicate component archives or a misconfiguration of your actual report creation target.

Identification SourceWhether a component was identified by Sonatype or manually claimed by you or a teammate during the review process.
Category

The component category, as identified by Sonatype.

Note that details on the left side of the tile are contextual to the ecosystem from which the component was drawn. For example, a component from Maven will show "Group" and "Artifact" identifiers, but a component from npm will show the "packageId" identifier instead.

Risk Remediation Tile

Recommended Remediation and Recommended Versions

The Recommended Remediation section outlines steps you can take to remediation policy violations. If the component is a transitive dependency of another component, you can see that component here. Click the automatically generated link to go to the Component Details Page for that component.

The Recommended Versions section shows non-violating versions of the same component. Click the "Compare" button to automatically select that version in the Version Explorer and populate the right-hand side of the Compare Versions table.

If another version of the component exists that would still cause a policy violation but which would not cause a build failure, that version will also be recommended. None of the violations caused by this recommended version would fail the build for a given stage.

Version Explorer

The Version Explorer allows you to quickly view details about other versions of the component. The current component is indicated by the vertical gray bar. The popularity of the component is indicated by the green bars at the top. The more popular a component is, the larger the bar.

Color markers show expected policy violations. The colors here match the policy violation colors you see elsewhere in IQ Server. For expected policy violations, red markers indicate a very high risk level, while orange, yellow, and blue markers indicate lower risk levels. No marker indicates no threat.

Breaking Changes, a new feature in Nexus Lifecycle, also appears in the Version Explorer. This feature helps you understand if incompatible code is introduced in the upgrade path of a component, and this view in the Version Explorer shows the likelihood that the version will contain such breaking changes. The color markers are also used here: Yellow, orange, and red markers introduce increasing numbers of breaking changes, while blue markers will not introduce breaking changes.

Compare Versions

The Compare Versions table is new with the Component Details Page. In the left-hand column are details about the component currently being  used in your application. If you click another version of the component in the Version Explorer, or click "Compare" in the Recommended Versions section, information about that version of the component will populate in the right-hand column. This allows you to rapidly and thoroughly compare your original component with possible replacements.

The table below outlines the details provided in the Compare Versions table.

Version

The version number of the selected component.
Highest Policy ThreatThe highest threat level policy that has been violated, as well as the total number of violations. The value may be NA if all threats have been waived.
Highest CVSS ScoreThe highest threat level security vulnerability and the total number of security vulnerabilities. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any security policies.
License Violation ThreatThe highest threat level license policy violation and the total number of license policy violations. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any license policies. 
Effective License

Licenses included in the Declared or Observed Group, or the overridden license.


See Component License Information to learn about the difference between Declared and Observed licenses.

Quality Violation ThreatThe highest threat level quality policy violation and the total number of quality policy violations. The value may be NA if all threats have been waived. The value may be None if the component hasn't violated any quality policies. 
Other Violation ThreatThe highest threat level other violations and the total number of other violations. The value may be None if the component hasn't violated any other policies
Hygiene Rating

The quality (Laggard, Exemplar, None) of an open-source project. This is calculated based on the projects that exhibit the best and worst behaviors to producing quality open-source software.

Integrity Rating

The level of suspicion (Suspicious, Normal) of this version as determined by our machine-learning intelligence. Versions that are marked suspicious may be malicious. The value may be Not Applicable if no integrity data is applicable.

CataloguedThe age of the component based on when it was first added into the source from which it was identified.

Dependency Tree Tile

NEW IN RELEASE 132

The Dependency Tree Tile lets users analyze dependency relationships within a subtree of the Application Composition Report Dependency Tree. The subtree is comprised of all occurrences of the current component, its ancestors, and its descendants. Clicking on a dependency takes the user to the Component Details Page for that component.

The Dependency Tree Tile is only available for Maven and npm ecosystems.


Note that older reports might not have the dependency info and need to be re-scanned (not re-evaluated).

Policy Violations Tab

The Policy Violations tab shows all policy violations associated with the component. Clicking on the "Existing Waivers" button on the right will show a tile that lists any active waivers associated with this component.

Violation Details Popover

Clicking on a violation in the Policy Violations tab brings up the Violation Details popover. Here, you can see more information about the violation, including when it was first and last reported, the stage of the build where the policy violation was found, and which part of the organization hierarchy owns the policy.

Reminder

Remember, the organizational hierarchy has "Root Organization" at the top, "Organization" below that, and "Application" at the bottom. If the Policy Owner is the "Root Organization", then the policy is being applied to all Organizations and Applications. Likewise, if the Policy Owner is "Application", then the policy is being applied only to the current application.

The Policy Constraint section shows exactly how IQ Server's knowledge about the component is interacting with the policy in question. The bullet point is a Condition, which you can think of as if part of the if/then statement. In the same way, a Constraint is just a grouping of active Conditions. In the example you see above, the Constraint consists of just one condition, and that condition is the presence of a security vulnerability.

If the policy violation isn't security related – for example, if the policy is about licensing or architecture – then the Violation Details popover ends here.

But if the policy violation is security related, then at the bottom of the window, the vulnerability is described in more detail. Details are pulled from applicable sources, like the National Vulnerability Database and Sonatype's own proprietary research, in order to describe why the component is vulnerable and how it could be exploited. 

Managing Waivers

Importantly, the Manage Waivers button is how you'll request waivers for a component. If you're authorized, it's also where you'll add waivers.

Underneath the Manage Waivers button, you can see how many active waivers are associated with the component without needing to click.

Security/Legal Tab 

The Security and Legal tabs are new in the Component Details Page. They are for Security and Legal team members who want a focused look at only the issues pertaining to their role. The Security and Legal tabs can be thought of as condensed, specialized offshoots of the Policy Violations tab.

In the Security tab, you can view a list of Security Violations. No other violations are displayed in this tab. Likewise, in the Legal tab, you can view the License Detections box, which shows the Effective and Declared Licenses of the component, and a list of Legal Policy Violations. No other violations are displayed in this tab. Just like in the Policy Violations tab, clicking a violation brings up the Violation Details window.

The Security and Legal tabs are also where you can edit and manage Statuses for the component. Learn more about Statuses at this link.

Labels Tab

The Labels tab allows you to assign and manage labels to the component. Learn more about labels in IQ Server here.

Claim Tab


Reminder

You'll only see the Claim tab if IQ Server doesn't recognize the component. If you don't see the Claim tab when you first open the Component Details Page, then IQ Server recognizes the component and you don't need to claim it!

IQ Server labels components as "Component-Unknown" if it can't match the component to its database of extant components, or if can only find similar but not identical components. We recognize that, in many cases, you'll know what these components are. This tab is provided so that you can manually identify these components by specifying their component identifier. The image below is an example of the Claim tab. Note that the Group ID, Extension, Artifact ID, and Version fields are mandatory.

If you need to edit a claim or revoke it entirely, revisit the Claim tab and click the "Revoke" or "Update" buttons.

Learn more about claiming components here.

Audit Log Tab

When a user makes changes to the Status of a security vulnerability or the Status of a component’s license within the scope of a particular application, that information is recorded in the Audit Log.

Typically, resolving policy violations by changing a component's Status is riskier than using Waivers, because status changes are more difficult to track. When possible, use Waivers to accept the risk of a policy violation. 

Learn more about Statuses at this link.

Next Component/Previous Component

At the bottom of the Component Details Page and frozen to the bottom of your browser window are buttons to take you to the next or previous component listed in the Application Composition Report, just as if you had used your browser's Back button and manually selected the next or previous component in the list.

Moving through the list of components in this way duplicates the "Aggregate by component" filtering option. This means that components only appear on the list once, regardless of how many policy violations they're associated with.