Documentation Nexus IQ Server 1.34

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

12.4. The Component Information Panel (CIP)

In our previous sections, we briefly indicated that clicking on a specific component causes the Component Information Panel (CIP) to be displayed. We promised to discuss it further, and this section makes good on that promise.

The first thing you should notice, is that the CIP can be accessed for a component on the Policy, Security Issues, and License Analysis tabs. No matter which of these tabs you are on, simply click on the component, and the panel is displayed. Even better, the information displayed is the same, regardless of the tab in which you clicked on the component.

The CIP itself is divided into two areas. The top has a list of various sections, each providing more specific details and functionality related to the component. Below these sections, the panel will display information for the corresponding section. A brief description of each section is included below.

figs/web/app-comp-report-CIP.png

Figure 12.11. Component Information Panel CIP Example


Component Info

Declared License
Any license that has been declared by the author.
Observed License
Any license(s) found during the scan of the component’s source code.
Effective License
Either any licenses included in the Declared or Observed Group, or the overridden license.
Coordinates
The identifying information for a component. For known components, all available coordinate information will be displayed.
Highest Policy Threat
The highest threat level policy that has been violated, as well as the total number of violations.
Highest Security Threat
The highest threat level security issue and the total number of security issues.
Cataloged
The age of the component based on when it first was uploaded to the Central Repository.
Match State
How the component was matched (exact, similar, or unknown).
Identification Source
Whether a component is identified by Sonatype, or claimed during your own process.
Website
If available, an information icon providing a link to the project is displayed.

The graph itself is laid out like a grid, with each vertical piece representing a particular version. The selected version being identified by a vertical line. The information displayed in the graph includes:

Popularity
The popularity for each version is shown as a bar graph. the larger the graph the more popular the version.
License Risk
This will display the license risk based on the application that is selected, and the associated policy and/or license threat groups for that application. Use the application selector to change the application, and corresponding policies the component should be evaluated against.
Security Alerts
For each version, the highest security threat will be displayed by color, with the highest shown as red, and no marker indicating no threat.

Policy. The Policy section displayed in Figure 12.12, “CIP, Policy Section” has the details of any policy violations for the component. Here you can see the name of the policy that has been violated (and any action that was taken), the name of the constraint that has been violated, and the value that was found. While the Policy/Action and Constraint names are straight forward, the Condition Value may be a little confusing at first.

As we know from our other chapters, a condition is simply the if part of an if/then statement. If a certain condition value is found which is equivalent to a condition being met, then the policy will be violated. E.g. if we have a policy that has a condition such that if a security vulnerability is found, our Condition Value column would indicate, Found x Security Vulnerabilities. In the same regard, Constraints are simply multiple conditions joined together.

figs/web/app-comp-report-CIP-policy.png

Figure 12.12. CIP, Policy Section


In addition to simply viewing the policy information details, a policy violation can also be waived in this section of the CIP using the Waive button.

Similar. You likely have already noticed the Similar filter that is available on the Policy Violations tab. These two are related, and both are a function of the matching algorithms used when evaluating and identifying components. We won’t go into the details of matching at this time. So, for now, know that any components found to be similar to the selected component will be listed in the Similar section displayed in Figure 12.13, “CIP, Similar Section”. A similar component could for example be a component that a developer has built locally using the source code of an open source component with minor modifications or additions.

figs/web/app-comp-report-CIP-similar.png

Figure 12.13. CIP, Similar Section


Occurrences. When a file is scanned, it has a filename and location where it was found. In some cases, it may have more than one filename and location. Either way, the path to the location(s), as well as the filename(s), of the component that was scanned is included in this section. In short, the Occurrences section displayed in Figure 12.14, “CIP, Occurrences Section” lists the file names and locations where the component was encountered. This section can be especially useful to detect accidental shipping of duplicate components archives or a misconfiguration of your actual report creation target e.g. you might be scanning the deployment archive (e.g. a war file) as well as the build output folder used to create the archive.

figs/web/app-comp-report-CIP-occurrences.png

Figure 12.14. CIP, Occurrences Section


Licenses. The Licenses section displayed in Figure 12.15, “CIP, Licenses Section” is split into two areas. On the left, any licenses that were identified as declared by the author of the component, as well as any license found during the scan of the component source code are listed. On the right, is the license status area. This functionality directly correlates to the blue Edit button we mentioned in the License Analysis tab overview. It allows you to set the Status of the component license information.

figs/web/app-comp-report-CIP-licenses.png

Figure 12.15. CIP, Licenses Section


Vulnerabilities. In much the same way as the Licenses section, Vulnerabilities displayed in Figure 12.16, “CIP, Vulnerabilities Section” is separated into two areas. On the left, all security vulnerabilities related to the component are displayed. Clicking the "i" info button on any of the vulnerability rows will show more details. On the right, the security vulnerability status area. This functionality, which we will discuss later, directly correlates to the blue Edit button we mentioned in the Security Issues tab.

figs/web/app-comp-report-CIP-edit-vulnerabilities.png

Figure 12.16. CIP, Vulnerabilities Section


Labels. Labels are discussed in more depth later in this chapter. However, the important item to note here, is that the assignment of labels to a component is done in this section of the CIP displayed in Figure 12.17, “CIP, Labels Section”.

figs/web/app-comp-report-CIP-labels.png

Figure 12.17. CIP, Labels Section


Claiming Components. The Claim Component section displayed in Figure 12.18, “CIP, Claim Component” is only available for unknown or similar component matches. During a scan, some components are identified as unknown or similar. Since we realize that in many cases, you actually recognize these components, we provide this section to claim these components.

figs/web/app-comp-report-CIP-claim-component.png

Figure 12.18. CIP, Claim Component


Audit Log. When changes are made to the status of a security vulnerability, or the status of a component’s license within the scope of a particular application, that information is recorded in the Audit Log section of the CIP for that component displayed in Figure 12.19, “CIP, Audit”. As is the case for these last few sections, we’ll discuss the Audit Log in greater detail along with our upcoming discussion of Security Vulnerability and License Analysis status.

figs/web/app-comp-report-CIP-audit.png

Figure 12.19. CIP, Audit