Logo Sonatype CLM Sonatype CLM Server - Application Composition Report
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM Server - Application Composition Report

4.3. The Component Information Panel (CIP)

To access the CIP for a component on the License Analysis tab, simply click on the component row. It will expand providing details in a number of sections. You will likely notice this looks the same as other CIP panels when clicking on other tabs of the application composition report, and you would be correct. There is nothing additional provided by accessing the CIP via the License Analysis tab of the report. However, for this section, we want to focus on the license related information in the Component Info section, as well as the entire Edit Licenses and Audit sections.

figs/web/app-comp-report-CIP-license.png

Figure 4.3. Component Information Panel (CIP)


Component Info

Again, the information contained here would be the same, whether or not you clicked on the component in the License Analysis tab. However, this gives us the context to talk about the License related fields in this section.

License Identification Types

On the left side of the Component Info section, you should pay attention to three fields, which are described below.

Declared License
these are the licenses that the developer of the component has identified.
Observed License
these are the licenses that have been observed during Sonatype’s research.
Effective License
The effective license displays license information based on one of two scenarios. In cases where multiple licenses are found, including any that are observed, these will all be included as effective. If a license is selected, or overridden, then that license will be considered effective, and listed here.
License Identification Values

In cases where there is no declared and/or observed licenses, a message will be displayed. There are several options, each with specific meaning:

No Source License
sources were provided, but there was no license data found.
No Sources
indicates we have no sources for the component.
Not Declared
indicates nothing was declared by the author/developer.
Not Provided
will appear when the license is actually null, and is unique to claimed components, but might also happen while new components are being processed by Sonatype.
Component Graph
The graph itself is laid out like a grid, with each vertical piece representing a particular version. The selected version being identified by a vertical line.

While the information displayed in the graph includes popularity, and security information, right now, just take a look at License Risk. This will display the license risk based on the application that is selected, and the associated policy and/or license threat groups for that application. Use the application selector to change the application, and corresponding policies the component should be evaluated against.