InnerSource components are internally developed components that are shared with other internal projects. InnerSource components are commonly built using open source. When consumed by other projects, InnerSource and its dependencies can produce many redundant policy violations in the consuming Application Composition Report. These policy violations are hard to remediate and cause a lot of wasted time. The goal of InnerSource Insight is to reduce the work needed to remediate and manage consumed InnerSource dependencies.
What is InnerSource Insight?
To explain, let's use a common scenario that causes InnerSource violation. In this case, the InnerSource common database framework was built with open-source components that have violations.
The scenario is two projects: P and C:
- Both projects have an associated IQ application.
- Project P creates a common database framework that Project C uses, making project P a producer of an InnerSource component and project C a consumer of an InnerSource component.
- When viewing the Application Composition Report for project C, one can now see these violations are from project P, making it easy to determine who brought in the violations.
Below is an illustration of this scenario:
Example Application Composition Report Before and After
Before these changes, the InnerSource component is unknown and no indication of the InnerSource transitive dependencies.
After these changes, InnerSource is recognized and all the associated transitive dependencies are highlighted.
How to use InnerSource Insight
InnerSource Insight is currently only supported via the CLM Maven plugin. Both the producer and consumer need to use the CLM Maven plugin. To find out more please refer to the CLM docs, Sonatype CLM for Maven.
Once the producer and the consumer are using the CLM Maven plugin, the consumer Application Composition Report will be able to identify InnerSource and associate the dependencies for the component.
Before the consumer can use InnerSource Insight
Before the consumer can use InnerSource Insight, the producers need to be evaluated by InnerSource Insight. To do this, please run the clm maven plugin for the producers. Once the producers have been evaluated by InnerSource Insight, InnerSource Insight will be able to identify and associate with the consumers.
CLM Maven in a CI Environment
CLM Maven goal index is valid for InnerSource Insight in a CI environment such as Jenkins. For more information please refer to Sonatype CLM for Maven.
Consumer Application Composition Report with InnerSource Insight:
The InnerSource Component is:
Its transitive dependencies are:
Also, the CIP provides a link to the producer report via View Latest Report:
Better Detection of Direct Dependencies
There are some cases that a dependency might be associated with the consumer report and an InnerSource component (producer), in this case, the dependency might be either Direct or Transitive, IQ server prioritizes the direct dependencies so they are associated and shown under the consumer report.