InnerSource Insight


InnerSource components are internally developed components that are shared with other internal projects.  InnerSource components are commonly built using open source.  When consumed by other projects, InnerSource and its dependencies can produce many redundant policy violations in the consuming Application Composition Report.  These policy violations are hard to remediate and cause a lot of wasted time.  The goal of InnerSource Insight is to reduce the work needed to remediate and manage consumed InnerSource dependencies.

Learn More

To learn more about InnerSource Insight, check out this guide.

Version Info

IQ Sever versions between 103 and 122 showed InnerSource components in a slightly different way. If you're using these versions, update today.

What is InnerSource?

To explain, let's use a common scenario that causes InnerSource violation. In this case, the InnerSource common database framework was built with open-source components that have violations.

The scenario is two projects: P and C:

  • Both projects have an associated IQ application. 
  • Project P creates a common database framework that Project C uses, making project P a producer of an InnerSource component and project C a consumer of an InnerSource component.
  • When viewing the Application Composition Report for project C, one can now see these violations are from project P, making it easy to determine who brought in the violations.

Below is an illustration of this scenario:

Supported ecosystems

  • maven
  • npm  

Requirements for InnerSource Insight

Before the consumer can use InnerSource Insight, the producers need to be evaluated by InnerSource Insight. To do this, please run the evaluation for the producers. Once the producers have been evaluated by InnerSource Insight, InnerSource Insight will be able to identify and associate with the consumers

How to use InnerSource Insight for Maven

InnerSource Insight for maven requires the producer and the consumer use the CLM Maven plugin or the Gradle plugin (v2.0.4 or higher). When both are using a supported plugin or format, the consumer's Application Composition Report will identify InnerSource components and their associated dependencies. Check out the Sonatype CLM for Maven documentation and the Gradle Plugin to learn more.

CLM Maven in a CI Environment

CLM Maven goal index is valid for InnerSource Insight in a CI environment such as Jenkins. For more information please refer to Sonatype CLM for Maven.

How to use InnerSource Insight for NPM

InnerSource Insight for npm adopts ecosystem manifest files to identify InnerSource and other dependency types. Check out the npm Application Analysis documentation to learn more about supported npm manifests. InnerSource Insight for npm works with following IQ scanners and plugins.

  • CLI (v 122+)
  • Jenkins plugin (Coming Soon)
  • Bamboo plugin (Coming Soon)

Example Application Composition Report Before and After

Before these changes, InnerSource components weren't identified, and their transitive properties were also not identified. After these changes, InnerSource is recognized and all the associated direct and transitive dependencies are indicated.

Additionally, for each InnerSource dependency, we now show a count of its transitive policy violations i.e. the number of policy violations from all transitive dependencies with this InnerSource dependency as a root ancestor.

If you hover over the InnerSource icon of a transitive dependency, then it will show you a tooltip listing its InnerSource root ancestors.

The Component Details Page also provides a link to the producer.

For transitive dependencies, the Component Details Page will add a tag next to any InnerSource root ancestors.

Additionally, for InnerSource only transitive dependencies i.e. transitive dependencies with only InnerSource root ancestors, the CIP will also show an InnerSource tag next to their transitive dependency tag in the CIP header.


A dependency can be associated with both the consumer and an InnerSource component (producer). In this case, the dependency will be shown in the consumer report as Direct dependency, even though it is both Direct and Transitive.