The Component Information Panel
Clicking on a specific component within the Policy Violations table opens the Component Information Panel (CIP). The CIP itself is divided into two areas. The top has a series of tabs for various sections, each providing more specific details and functionality related to the component. Below these tabs, the panel will display the corresponding information. A brief description of each section is included below. At the bottom of the CIP, navigation buttons to switch to the next and previous components in the Policy Violations Table can be found.
Any changes done in the Component Information Panel are visible only when the application is re-analyzed (via the re-evaluation button or a new evaluation being triggered from CI, CLI, policy monitoring, etc).
This tab contains a version graph for viewing available versions of the selected component, information on the selected component and version, and also recommended versions for any components that have policy violations for the application.
The recommended version is based on the availibility of a newer version of the same component that does not violate any configured policies for the application. If such a version exists a hyperlink is displayed with the suggested version. Clicking on the link will select the recommended version in the version graph and populate the table with information about this version.
The version graph is laid out like a grid, with each vertical slice representing a particular version. The current version is identified by a vertical line with its popularity in a dark grey color. Previous versions are shown in light grey, and newer releases with a different major version show popularities in blue. Newer versions with the same major version as the current version show popularities in green. The information displayed in the graph includes:
|Popularity||The popularity for each version is shown as a bar graph. The taller the bar, the more popular the version.|
|Policy Threat||The heatmap marker colors represent the highest policy threat levels for each version across all policy types, with no marker indicating no threat.|
The following table outlines the details provided for a chosen component in the Component Info tab:
|Declared License||Any license that has been declared by the author.|
|Observed License||Any license(s) found during the scan of the component’s source code.|
|Effective License||Either any licenses included in the Declared or Observed Group, or the overridden license.|
|Coordinates||The identifying information for a component. For known components, all available coordinate information will be displayed.|
|Highest Policy Threat||The highest threat level policy that has been violated, as well as the total number of violations. The value may be NA if all threats have been waived.|
|Highest CVSS Score||The highest threat level security vulnerability and the total number of security vulnerabilities. The value may be NA if all threats have been waived.|
|Cataloged||The age of the component based on when it was first added into the source from which it was identified.|
|Match State||How the component was matched (exact, similar, or unknown).|
|Identification Source||Whether a component is identified by Sonatype, or claimed during your own process.|
|Category||The component category identified by Sonatype.|
|Website||If available, an information icon providing a link to the project is displayed.|
The Policy tab shows details of any policy violations for the component. Here you can see the name of the policy that has been violated (and any action that was taken), the name of the constraint that has been violated, and the value that was found. While the Policy/Action and Constraint names are straight forward, the Condition Value may be a little confusing at first.
A condition is simply the if part of an if/then statement. If a certain condition value is found which is equivalent to a condition being met, then the policy will be violated. E.g. if we have a policy that has a condition such that if a security vulnerability is found, our Condition Value column would indicate, Found x Security Vulnerabilities. In the same regard, Constraints are simply multiple conditions joined together.
In addition to simply viewing the policy information details, a policy violation can also be waived in this section of the CIP using the Waive button.
Any components found to be similar to the selected component will be listed in the Similar tab. For example, a similar component could be a component that a developer has built locally using the source code of an open source component with minor modifications or additions.
When a file is scanned, it has a filename and location where it was found. In some cases, it may have more than one filename and location. Either way, the paths to the location(s), as well as the filename(s), of the component that was scanned are included in this section. In short, the Occurrences section lists the file names and locations where the component was encountered. This section can be especially useful to detect accidental shipping of duplicate component archives or a misconfiguration of your actual report creation target e.g. you might be scanning the deployment archive (e.g. a war file) as well as the build output folder used to create the archive.
The Licenses section is split into two areas. On the left, any licenses that were identified as declared by the author of the component, as well as any licenses found during the scan of the component source code are listed. On the right is the license status area where you can set the Status of the component license information.
The Vulnerabilities tab is separated into two areas. On the left, all security vulnerabilities related to the component are displayed. Clicking the "i" info button on any of the vulnerability rows will show more details. On the right is the security vulnerability status area. See Resolving Security Issues for more information on using this tab.
This tab allows for the assignment and unassignment of labels from the component.
The Claim Component tab is only available for unknown or similar component matches. During a scan, some components are identified as unknown or similar. Since we realize that in many cases you actually recognize these components, we provide this section to claim these components by manually specifying their component identifier.
When changes are made to the status of a security vulnerability, or the status of a component’s license within the scope of a particular application, that information is recorded in the Audit Log tab of the CIP for that component.