The Component Information Panel
Clicking on a specific component opens the Component Information Panel (CIP). The first thing you should notice is that the CIP can be accessed for a component on the Policy, Security Issues, and License Analysis tabs. No matter which of these tabs you are on, simply click on the component, and the panel is displayed. Even better, the information displayed is the same, regardless of the tab in which you clicked on the component.
The CIP itself is divided into two areas. The top has a list of various sections, each providing more specific details and functionality related to the component. Below these sections, the panel will display information for the corresponding section. A brief description of each section is included below.
The following table outlines the details provided for a chosen component in the Component Info tab:
|Declared License||Any license that has been declared by the author.|
|Observed License||Any license(s) found during the scan of the component’s source code.|
|Effective License||Either any licenses included in the Declared or Observed Group, or the overridden license.|
|Coordinates||The identifying information for a component. For known components, all available coordinate information will be displayed.|
|Highest Policy Threat||The highest threat level policy that has been violated, as well as the total number of violations.|
|Highest CVSS Score||The highest threat level security vulnerability and the total number of security vulnerabilities.|
|Cataloged||The age of the component based on when it was first added into the source from which it was identified.|
|Match State||How the component was matched (exact, similar, or unknown).|
|Identification Source||Whether a component is identified by Sonatype, or claimed during your own process.|
|Website||If available, an information icon providing a link to the project is displayed.|
The graph itself is laid out like a grid, with each vertical slice representing a particular version. The current version is identified by a vertical line. The information displayed in the graph includes:
|Popularity||The popularity for each version is shown as a bar graph. The taller the bar, the more popular the version.|
|Policy Threat||The heatmap marker colors represent the highest policy threat levels for each version across all policy types, with no marker indicating no threat.|
The Policy tab shows details of any policy violations for the component. Here you can see the name of the policy that has been violated (and any action that was taken), the name of the constraint that has been violated, and the value that was found. While the Policy/Action and Constraint names are straight forward, the Condition Value may be a little confusing at first.
A condition is simply the if part of an if/then statement. If a certain condition value is found which is equivalent to a condition being met, then the policy will be violated. E.g. if we have a policy that has a condition such that if a security vulnerability is found, our Condition Value column would indicate, Found x Security Vulnerabilities. In the same regard, Constraints are simply multiple conditions joined together.
In addition to simply viewing the policy information details, a policy violation can also be waived in this section of the CIP using the Waive button.
Any components found to be similar to the selected component will be listed in the Similar tab. For example, a similar component could be a component that a developer has built locally using the source code of an open source component with minor modifications or additions.
When a file is scanned, it has a filename and location where it was found. In some cases, it may have more than one filename and location. Either way, the path to the location(s), as well as the filename(s), of the component that was scanned is included in this section. In short, the Occurrences section lists the file names and locations where the component was encountered. This section can be especially useful to detect accidental shipping of duplicate components archives or a misconfiguration of your actual report creation target e.g. you might be scanning the deployment archive (e.g. a war file) as well as the build output folder used to create the archive.
The Licenses section is split into two areas. On the left, any licenses that were identified as declared by the author of the component, as well as any license found during the scan of the component source code are listed. On the right, is the license status area where you can set the Status of the component license information.
The Vulnerabilities tab is separated into two areas. On the left, all security vulnerabilities related to the component are displayed. Clicking the "i" info button on any of the vulnerability rows will show more details. On the right is the security vulnerability status area.
The important item to note here, is that the assignment of labels to a component is done in this section of the CIP.
The Claim Component tab is only available for unknown or similar component matches. During a scan, some components are identified as unknown or similar. Since we realize that in many cases you actually recognize these components, we provide this section to claim these components.
When changes are made to the status of a security vulnerability, or the status of a component’s license within the scope of a particular application, that information is recorded in the Audit Log tab of the CIP for that component.