Skip to main content

Claiming a Component

Understanding

Sometimes a component with a match state of Similar or Unknown can be positively identified by you or a team member. By Claiming such a component, you can give it the Exact match state and prevent it from being associated with the Component-Unknown policy (assuming you're using the reference policy set).

Claiming a component using the method below has a few limitations:

  • It can be performed for an unknown component from any ecosystem, but the coordinates it asks for match the Maven format, so this method is best used for Maven components.

  • Claiming a component this way will not pull security information into your reports, regardless of the coordinates you give it. However, it may pull in license information and therefore violate a license-based policy.

    • Additionally, if Lifecycle can't pull in license data, the newly claimed component will violate the License-None policy.

  • If you try to claim a component with coordinates that are already in use by a component in the application, you will receive an error message.

An alternate method of claiming components is to use the Component Claim REST API.

Claiming

Claiming a component requires a role with at least the "View IQ Elements" and "Claim Components" permissions.

To claim a component from an Application Composition Report:

  1. Find a component in the report with a match state of Similar or Unknown. If you're using the reference policy set, Unknown components will be flagged for a policy violation with a severity level of 2.

  2. Click the component. You'll see an information box at the top of the page, as in the example below.

    example of an unknown component with a button for claiming the component shown

  3. Click Claim Component. This creates form fields, like in the example below. Group ID, Artifact ID, Version, and Extension are mandatory fields. Being as thorough as possible here will help reduce confusion in future scans.

    153060978.png

  4. Click Claim at the bottom right to save your work.

The next time you scan, or re-evaluate, the component will have a match state of Exact, and the Identification Source will be Manual.

153060979.png

Editing or Revoking a Claim

To edit or revoke a claim, click the component in question and then click the Claim tab at the top of the Component Details Page. Use the red Revoke button at the bottom right to revoke the claim entirely, or edit the fields and click Update at the bottom right to save your changes.