Not everyone will have access to the IQ Server or any of the integrated enforcement points, and in turn, any of the associated reports. However, certain individuals or teams would likely still benefit from the information the Application Composition Report provides. Even if that’s not your particular situation, you may reach a point where you would like to produce an archive of a Application Composition Report for historical and audit purposes. Given this need, a PDF can be generated for every report you produce.
Though the information presented in both the web application and the PDF are broadly the same, there are differences. Below, we’ll discuss how to create this PDF version as well as highlight some of the variations between the two.
Creating the PDF
With the Application Composition Report open, find the Options drop-down in the top right. The first entry in this drop down is title Generate PDF. Simply click that entry and your browser will prompt you to download a PDF version of the report.
The report filename will be unique each time you use the button. However, in general the report filename will use the following pattern:
Reviewing the PDF
The information provided by the PDF organized into a summary section followed by a series of tables.
The Summary tab is the first section of the PDF displayed. It is broken into three sections:
Scope of Analysis
This section shows counts, giving you an idea of the volume of components that were found during the scan. It also gives a breakdown of those that were identified, including a specific percentage that is represented by open source components. In addition to these numbers, you will also see:
- A distinct count of components identified. Note that this is displayed slightly differently here than in the report. In the report, the total number of components is displayed along with the percentage identified. In the PDF, the number of identified components is displayed, along with the percentage of the total that that is.
- The number of grandfathered violations
- A count of components with policy violations, displayed by threat level. Only the most severe violation for each component is counted.
- The total number of security alerts found, and the number of affected components.
- The total number of license alerts. Each license alert corresponds to a single component.
The Security Issues section provides three visualizations. The first visualization displays the number of security issues by their particular Common Vulnerability Scoring System (CVSS) score, breaking the issues into three threat levels - Critical, Severe and Moderate.
Next to this raw count, the same numbers are represented in a bar graph to help distinguish the relative impact for each threat level.
Finally, a dependency depth chart shows where the security issues occur, relative to how many there are, indicated by the size of the circles, as well as what level of dependency they are found in.
As with Security, the License Analysis section breaks the data into four threat level categories. However, these threat levels do not come from an external source, but rather the user-configurable license threat groups that are managed via the IQ Server.
There are four threat level categories:
- Critical (Copyleft)
- Severe (Non Standard)
- Moderate (Weak Copyleft)
- No Threat (Liberal)
These categories are static and not not configurable.
The first counts that are displayed represent the total number of licenses found in each threat level. Next to this list, a graph indicates percentage of licenses in each threat level category, compared to the total number of licenses found. Finally, a dependency depth chart indicates the volume of licenses found at each dependency level, as well as the color corresponding to the threat level.
The Policy Violations section displays the details for all scanned components. This matches the data displayed in the Policy tab of the Component Information Panel (CIP). It should be noted, that depending on the number of violations in your application, this section could be very long:
The Security Issues section displays a breakdown of all security issues found in the scan of the application:
The License Analysis section displays a breakdown of all license issues found in the scan of the application. It should be noted that depending on your license threat groups, and license assignments, this section of the report could be very long:
This section brings together information from all the others. It displays the highest security issue identified (and the associated CVSS score), any declared and/or observed licenses (and the highest threat level of the associated), the match state, age, and the policy violation counts for each threat level band (red, orange, yellow, and blue) for each component. In most cases this section can be used as a detailed bill of materials:
In some cases a URL for the project is provided. This is indicated by an information icon.