Documentation Nexus IQ Server 1.17

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

10.2. Reviewing a Report

When you look at the Application Composition Report for the first time, you will likely notice the four tabs:

  • Summary
  • Policy
  • Security Issues
  • License Analysis
scale=45f

Figure 10.4. The Four Tabs


These tabs represent the basic navigation for the report, and serve to divide information into specific sections. In a sense, the name of each tab represents the theme of the data that will be displayed.

The Summary tab displays a summary of violation, security, and license risk information for components in your application and provides a good first overview. The Policy tab displays violation data for components in your application. The Security tab displays security related risk for components in your application. And the License Analysis tab displays license-related data for components in your application.

We’ll cover each of these in a bit more detail below. However, it’s important to first understand a little bit about what a report represents and the basic sets of data it contains.

In general, each report…

  • Corresponds to a single, specific application, indicating the application name, date of the report, and the stage the scan took place in.
  • Includes components found during a scan of the application, in most cases, including any dependencies.
  • Records violations linked to an application’s policies, or the policies inherited from the application’s organization.
  • Displays available security information for any components found matching components in the Central Repository.
  • Displays available license information for any components found to exactly, or partially, match components in the Central Repository, as well as any data recorded manually (e.g. through the claiming process).
  • Distinguishes between, external, proprietary and internally identified/claimed components.

Now that you know what forms the basis of the report, let’s take a look at each tab individually.

10.2.1. Summary Tab

The Summary tab is always the first section of the report displayed. It is broken into three sections:

Scope of Analysis

This section shows counts, giving you an idea of the volume of components that were found during the scan. It also gives a breakdown of those that were identified, including a specific percentage that is represented by open source components. In addition to these numbers, you will also see:

  • A count of components with policy violations, displayed by threat level. Only the most severe violation for each component is counted.
  • The total number of security alerts found, and the number of affected components.
  • The total number of license alerts. Each license alert corresponds to a single component.
Security Issues
The Security Issues section provides three visualizations. The first visualization displays the number of security issues by their particular Common Vulnerability Scoring System CVSS score, breaking the issues into three threat levels - Critical, Severe and Moderate.

Next to this raw count, the same numbers are represented in a bar graph to help distinguish the relative impact for each threat level.

Finally, a dependency depth chart shows where the security issues occur, relative to how many there are, indicated by the size of the circles, as well as what level of dependency they are found in.

figs/web/app-comp-report-security-issues-summary.png

Figure 10.5. Security Issues Summary


License Analysis
As with Security, the License Analysis section breaks the data into four threat level categories. However, these threat levels do not come from an external source, but rather the user-configurable license threat groups that are managed via the Nexus IQ Server.

There are four threat level categories:

  • Critical (Copyleft)
  • Severe (Non Standard)
  • Moderate (Weak Copyleft)
  • No Threat (Liberal)

These categories used in the report are static and not not configurable.

The first counts that are displayed represent the total number of licenses found in each threat level. Next to this list, a graph indicates percentage of licenses in each threat level category, compared to the total number of licenses found. Finally, a dependency depth chart indicates the volume of licenses found at each dependency level, as well as the color corresponding to the threat level.

figs/web/app-comp-report-license-analysis-summary.png

Figure 10.6. License Analysis Summary


10.2.2. Policy Tab

The Policy tab displays a list of all components found during the scan of the application. By default components are ordered by their worst policy violation. This is an important distinction, because a component may have more than one violation, and the threat level severity for those violations could vary. If you wish to see all violations there are two options, using the Violation Filter, or the Component Information Panel (CIP). In this chapter we’ll discuss both options. However, below we have highlighted the available filters.

figs/web/app-comp-report-policy-tab.png

Figure 10.7. Policy Tab


Filter

The filter lists five categories:

  • All (default)
  • Exact
  • Similar
  • Unknown
  • Proprietary

In addition to the main set of filters, you can also filter by violations, including those that have been waived. The available options include:

  • Summary (default)
  • All
  • Waived

Clicking on any of these will change the components in the list. We’ll discuss each of these in further detail in the sections corresponding to component matching, claiming components, and waiving components sections.

Component List

The list of components, below the filter, displays the Threat level posed by the components. The Policy Threat column displays the name of the worst violated policy for the component and the severity using a colored bar. The Component column displays all available coordinate information for the component.

In addition the list displays the Popularity and the Age of the component in the Central Repository in separate columns. The Release History is displayed in a visualization that includes the most popular version, the most recent version, your version and any other available versions in a timeline.

By clicking on the column header, the list of components can be sorted. If you are looking for a specific policy, or component, you can use the search fields located at the top of each of those columns, directly below the header.

Clicking on a row for a component in list displays the Component Information Panel (CIP), which we will discuss in Section 10.4, “The Component Information Panel (CIP)”.

10.2.3. Security Issues Tab

The important thing to remember about the Security Issues tab is that information displayed there is related specifically to security vulnerabilities data that has been collected by Sonatype. This data however, is separate from policy violations, which are based on policies that you have created (or imported), and are displayed on the Policy tab. That is, you could certainly have a situation where there is a security vulnerability, and no policy violation. Because of this, it is important to treat them independently.

figs/web/app-comp-report-security-issues-tab.png

Figure 10.8. Security Issues Tab


The way components are displayed is actually quite different as well. In the Security Issues tab, only those components with a security vulnerability are displayed. The data provided for each component is broken into several columns:

  • Threat Level
  • Problem Code
  • Component
  • Status

By default the list of components with security vulnerabilities is organized by threat level. This helps you isolate the most critical issues you need to address. However, you may notice that components in this list are repeated. This is because a component may have more than one security vulnerability, and those vulnerabilities in fact may have different scores, thus different threat levels.

To sort the list, simply click the corresponding header. For example, if we wanted to sort by components, finding a component with multiple vulnerabilities, we would simply click on the Components column. Additionally, you can search for a specific component by typing in the search field located directly below each header.

10.2.4. License Analysis Tab

The License Analysis tab displays all identified components found in the application scan and their license threat details. Unknown components are not displayed. Similar to the security issues, a license threat does not necessarily correlate to a policy, and as such should be treated independently.

figs/web/app-comp-report-license-analysis-tab.png

Figure 10.9. License Analysis Tab


For each component listed, the license related data is displayed. This data is based on information collected during a scan. By default, components are listed based on the threat of the corresponding License Threat Group that identified license is in. However, like the other tabs, clicking on a column in list will sort the components by that column. Additionally, specific components can be isolated using the search located below each header. The columns displayed include:

  • License Threat
  • Component
  • Status