Reviewing a Report
The Application Composition Report is organized into four tabs: Summary, Policy, Security Issues, and License Analysis. These tabs represent the basic navigation for the report and serve to divide information into specific sections.
It’s important to first understand a little bit about what a report represents and the basic sets of data it contains. In general, each report:
- Corresponds to a single, specific application, indicating the application name, date of the report, and the stage the scan took place in.
- Includes components found during a scan of the application, in most cases, including any dependencies.
- Records violations linked to an application’s policies, or the policies inherited from the application’s organization.
- Displays available security information for any components found matching components in the Central Repository.
- Displays available license information for any components found to exactly, or partially, match components in the Central Repository, as well as any data recorded manually (e.g. through the claiming process).
- Distinguishes between, external, proprietary and internally identified/claimed components.
Now that you know what forms the basis of the report, let’s take a look at each tab individually.sc
The Summary tab is always the first section of the report displayed. It is broken into three sections:
Scope of Analysis
This section shows counts, giving you an idea of the volume of components that were found during the scan. It also gives a breakdown of those that were identified, including a specific percentage that is represented by open source components. In addition to these numbers, you will also see:
- A distinct count of components identified.
- A count of components with policy violations, displayed by threat level. Only the most severe violation for each component is counted.
- The total number of security alerts found, and the number of affected components.
- The total number of license alerts. Each license alert corresponds to a single component.
The Security Issues section provides three visualizations. The first visualization displays the number of security issues by their particular Common Vulnerability Scoring System (CVSS) score, breaking the issues into three threat levels - Critical, Severe and Moderate.
Next to this raw count, the same numbers are represented in a bar graph to help distinguish the relative impact for each threat level.
Finally, a dependency depth chart shows where the security issues occur, relative to how many there are, indicated by the size of the circles, as well as what level of dependency they are found in.
As with Security, the License Analysis section breaks the data into four threat level categories. However, these threat levels do not come from an external source, but rather the user-configurable license threat groups that are managed via the IQ Server.
There are four threat level categories:
- Critical (Copyleft)
- Severe (Non Standard)
- Moderate (Weak Copyleft)
- No Threat (Liberal)
These categories are static and not not configurable.
The first counts that are displayed represent the total number of licenses found in each threat level. Next to this list, a graph indicates percentage of licenses in each threat level category, compared to the total number of licenses found. Finally, a dependency depth chart indicates the volume of licenses found at each dependency level, as well as the color corresponding to the threat level.
Policy Violations Tab
The Policy Violations tab displays a list of all components found during the scan of the application. By default components are ordered by their worst policy violation. This is an important distinction, because a component may have more than one violation, and the threat level severity for those violations could vary. If you wish to see all violations there are two options, using the Violation Filter, or the Component Information Panel (CIP). Below we have highlighted the available filters.
The filter lists five categories:
- All (default)
In addition to the main set of filters, you can also filter by violations, including those that have been waived. The available options include:
- Summary (default)
Clicking on any of these will change the components in the list. We’ll discuss each of these in further detail in the sections corresponding to component matching, claiming components, and waiving components sections.
The list of components, below the filter, displays the threat level posed by the components. The Policy Threat column displays the name of the worst violated policy for the component and the severity using a colored bar. The Component column displays all available coordinate information for the component.
In addition the list displays the Popularity and the Age of the component in the Central Repository in separate columns. The Release History is displayed in a visualization that includes the most popular version, the most recent version, your version and any other available versions in a timeline.
By clicking on the column header, the list of components can be sorted. If you are looking for a specific policy, or component, you can use the search fields located at the top of each of those columns, directly below the header.
Clicking on a row for a component in list displays the Component Information Panel (CIP). For more information on the CIP, see The Component Information Panel.
Security Issues Tab
The important thing to remember about the Security Issues tab is that information displayed there is related specifically to security vulnerabilities data that has been collected by Sonatype. This data however, is separate from policy violations, which are based on policies that you have created (or imported), and are displayed on the Policy Violations tab. That is, you could certainly have a situation where there is a security vulnerability, and no policy violation. Because of this, it is important to treat them independently.
The way components are displayed is actually quite different as well. In the Security Issues tab, only those components with a security vulnerability are displayed. The data provided for each component is broken into several columns:
- Threat Level
- Problem Code
By default the list of components with security vulnerabilities is organized by threat level. This helps you isolate the most critical issues you need to address. However, you may notice that components in this list are repeated. This is because a component may have more than one security vulnerability, and those vulnerabilities in fact may have different scores, thus different threat levels.
To sort the list, simply click the corresponding header. For example, if we wanted to sort by components, finding a component with multiple vulnerabilities, we would simply click on the Components column. Additionally, you can search for a specific component by typing in the search field located directly below each header.
License Analysis Tab
The License Analysis tab displays all identified components found in the application scan and their license threat details. Unknown components are not displayed. Similar to the security issues, a license threat does not necessarily correlate to a policy, and as such should be treated independently.
For each component listed, the license related data is displayed. This data is based on information collected during a scan. By default, components are listed based on the threat of the corresponding License Threat Group that identified license is in. However, like the other tabs, clicking on a column in list will sort the components by that column. Additionally, specific components can be isolated using the search located below each header. The columns displayed include:
This field displays both the Declared Licenses and the Observed Licenses. The Declared Licenses are highlighted with a bold font and is the first set of licenses in the field. If no license is declared, it will have the text Not Declared.
The component field will display the identified component using the coordinate system appropriate for the component.
The status field will display the status for this license which has been set by a user via the Licenses tab in the Component Information Panel.