Logo Sonatype CLM Sonatype CLM Server - Application Composition Report
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM Server - Application Composition Report

5.1. Matching Components

When a Sonatype CLM analysis is performed, hashes of the components in your application are created. This in many ways is like a fingerprint, which is unique to a component. We then compare that fingerprint (hash), back to our database of components. This database includes general component info, usage statistics, security vulnerability, and license information.

All of this information can be used as parameters in your policy, which translates to more understanding of the component usage in your organization. That data however, can only be linked based on a matching of hashes, which can be exact or similar, and in some cases, unknown. We discuss these three match types below.

figs/web/app-comp-report-filter-matches.png

Figure 5.2. Filter and Matching Options


Exact
An exact match means that a one-to-one link was found between a component hash in your application, and our database. All the data you see represented corresponds to a component we have identified and collect information for. This is the best case scenario with regard to component identification, and most components should fit in this category.
Similar
A similar match is found using proprietary matching algorithms, and is our best guess for a component that you have in your application. In some cases, multiple matches may be found, and this is where the Similar section of the CIP is important. While the most likely match is used to display any information about a similar matched component, you can see all other matches in this section of the application composition report. An example is displayed in Figure 2.13, “CIP, Similar Section”.
Unknown
There are instances where not even a similar component match can be determined. This should be considered a serious situation, at least one that needs to be investigated. This could be a case of a component being recompiled and modified so that a match to our database is no longer possible.

However, there is a chance that component is something malicious introduced into the application. Either way, an unknown component is one that Sonatype CLM has no information for. Of course, if during your investigation, you are able to identify the component, you can claim that component, via the Claim Components section, which we will walk you through in more detail a little bit later. An example is displayed in Figure 5.1, “Unknown Component”.

[Note]

Unknown components will not be displayed in the License tab until they have been claimed.

In addition to the main filters above, you can also control whether all violations for each component will be displayed. By default the summary of violations is shown. This means that only the worst violation for a component will be shown, and the component will only appear once in the list. Choosing All or Waived, will show all violations (including those waived), or only the waived violations, respectively.

[Note]

Changing the Violations filter can result in the components being displayed in the component list more than once.