Sonatype CLM Server - Application Composition Report

5.2. Managing Proprietary Components

As with our matched components, proprietary is one of the options included in the Filter on the Policy tab of the application composition report. Unfortunately, there is often a little bit of confusion around identifying a proprietary component, so lets start first with what a proprietary component is.

Simply put, proprietary components are those components that are unique to your organization. In many cases these are actually developed by your organization and distributed among the applications you develop.

figs/web/app-comp-report-proprietary.png

Figure 5.3. Proprietary Component

In most cases components unique to your organization will simply display as Unknown. However in reality they are very well known by your team, and simply unknown to Sonatype CLM.

To address this, you can set up the Sonatype CLM server to automatically identify proprietary components when an application is scanned. This will then place them into the Proprietary filter.

You still need to claim the components, but it will help you distinguish truly unknown components, from those that simply aren’t known to Sonatype CLM. To set up proprietary identification:

Make sure you are logged into the Sonatype CLM Server with admin-level permissions (member of the Global Role, Admin).
Click the System Preferences icon , and then the Proprietary Components option.

When you are telling Sonatype CLM how to identify proprietary components, there are a couple of different methods:

The first option is to add proprietary group parameters, or components, that are considered proprietary. For example, if we entered com.sonatype, everything found in the path com/sonatype would be marked as a proprietary component, and therefore not evaluated.


	This method follows a traditional ANT GLOB pattern.

The second option is to enter a regular expression. If you choose this option, make sure to click the Regular expression check box. For more information on regular expressions, check out Oracle’s Java documentation. However, an example of a regular expression might be test\.zip. In this example anything in the top level directory with a .zip file extension would be excluded from the evaluation.


	Occurrences inside an identified archive, will make the binary proprietary as well. For example, if a proprietary zip is found inside a jar, the jar is also considered proprietary.

After entering your proprietary component identification, click the Add button. This will queue your new proprietary component identifier for saving. Additionally, click any remove icon (resembles a minus symbol) in the list to remove an entry. No changes will be persisted to the server until you click the Save button.


	When using regular expressions, using the format `.{some_identifying_text}\.zip`, the entire directory that is being evaluated will be searched for proprietary components. For example, using `.data\.zip` vs. `data\.zip`.

figs/web/clm-server-proprietary-packages-configuration.png

Figure 5.4. Proprietary Packages Configuration via the Sonatype CLM Server

Once your proprietary components are configured Sonatype CLM will look at the component and the directory structure of the application being evaluated. If it matches your proprietary component configuration, it will be identified as proprietary and displayed them accordingly in the reports.


	The proprietary component changes will not be evaluated against existing reports.