When you look at the application composition report for the first time, you will likely notice the four tabs:
These tabs represent the basic navigation for the report, and serve to divide information into specific sections. In a sense, the name of each tab represents the theme of the data that will be displayed.
The Summary tab displays a summary of violation, security, and license risk information for components in your application and provides a good first overview. The Policy tab displays violation data for components in your application. The Security tab displays security related risk for components in your application. And the License Analysis tab displays license-related data for components in your application.
We’ll cover each of these in a bit more detail below. However, it’s important to first understand a little bit about what a report represents and the basic sets of data it contains.
In general, each report…
Now that you know what forms the basis of the report, let’s take a look at each tab individually.
The Summary tab is always the first section of the report displayed. It is broken into three sections:
This section shows counts, giving you an idea of the volume of components that were found during the scan. It also gives a breakdown of those that were identified, including a specific percentage that is represented by open source components. In addition to these numbers, you will also see:
Next to this raw count, the same numbers are represented in a bar graph to help distinguish the relative impact for each threat level.
Finally, a dependency depth chart shows where the security issues occur, relative to how many there are, indicated by the size of the circles, as well as what level of dependency they are found in.
There are four threat level categories:
These categories used in the report are static and not not configurable.
The first counts that are displayed represent the total number of licenses found in each threat level. Next to this list, a graph indicates percentage of licenses in each threat level category, compared to the total number of licenses found. Finally, a dependency depth chart indicates the volume of licenses found at each dependency level, as well as the color corresponding to the threat level.
The Policy tab displays a list of all components found during the scan of the application. By default components are ordered by their worst policy violation. This is an important distinction, because a component may have more than one violation, and the threat level severity for those violations could vary. If you wish to see all violations there are two options, using the Violation Filter, or the Component Information Panel (CIP). In this chapter we’ll discuss both options. However, below we have highlighted the available filters.
The filter lists five categories:
In addition to the main set of filters, you can also filter by violations, including those that have been waived. The available options include:
Clicking on any of these will change the components in the list. We’ll discuss each of these in further detail in the sections corresponding to component matching, claiming components, and waiving components sections.
The list of components, below the filter, displays the Threat level posed by the components. The Policy Threat column displays the name of the worst violated policy for the component and the severity using a colored bar. The Component column displays all available coordinate information for the component.
In addition the list displays the Popularity and the Age of the component in the Central Repository in separate columns. The Release History is displayed in a visualization that includes the most popular version, the most recent version, your version and any other available versions in a timeline.
By clicking on the column header, the list of components can be sorted. If you are looking for a specific policy, or component, you can use the search fields located at the top of each of those columns, directly below the header.
Clicking on a row for a component in list displays the Component Information Panel (CIP), which we will discuss in Section 11.4, “The Component Information Panel (CIP)”.
The important thing to remember about the Security Issues tab is that information displayed there is related specifically to security vulnerabilities data that has been collected by Sonatype. This data however, is separate from policy violations, which are based on policies that you have created (or imported), and are displayed on the Policy tab. That is, you could certainly have a situation where there is a security vulnerability, and no policy violation. Because of this, it is important to treat them independently.
The way components are displayed is actually quite different as well. In the Security Issues tab, only those components with a security vulnerability are displayed. The data provided for each component is broken into several columns:
By default the list of components with security vulnerabilities is organized by threat level. This helps you isolate the most critical issues you need to address. However, you may notice that components in this list are repeated. This is because a component may have more than one security vulnerability, and those vulnerabilities in fact may have different scores, thus different threat levels.
To sort the list, simply click the corresponding header. For example, if we wanted to sort by components, finding a component with multiple vulnerabilities, we would simply click on the Components column. Additionally, you can search for a specific component by typing in the search field located directly below each header.
The License Analysis tab displays all identified components found in the application scan and their license threat details. Unknown components are not displayed. Similar to the security issues, a license threat does not necessarily correlate to a policy, and as such should be treated independently.
For each component listed, the license related data is displayed. This data is based on information collected during a scan. By default, components are listed based on the threat of the corresponding License Threat Group that identified license is in. However, like the other tabs, clicking on a column in list will sort the components by that column. Additionally, specific components can be isolated using the search located below each header. The columns displayed include:
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia