Documentation Nexus IQ Server 1.31

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

19.3. Using the Component Info View

Once configured and the component analysis is completed a component view will look similar to the example displayed in Figure 19.5, “Example Component Info View”. The list of components will reflect an analysis of the build path.

[Note]

For Maven projects we include the compile and runtime scopes in the CLM evaluation. If you wish to include additional dependencies found in provided, test, and system scope, these can be configured.

figs/web/ide-eclipse-component-info-view-example.png

Figure 19.5. Example Component Info View


The top left-hand corner of the Sonatype CLM for Eclipse Component Info view displays either the number of projects currently being examined in the view, or the name of the specific project. Next to that, the number of components found, and the number of components shown in the list is displayed.

The top right-hand corner provides a number of buttons to access the following features of Sonatype CLM for Eclipse:

figs/web/ide-eclipse-clm-icon-details.png Open Component Details::

Opens another window with more details about the selected component including policy violations, license analysis and security issues.

figs/web/ide-eclipse-clm-icon-pom.png Open POM
Opens the Maven pom.xml file of the selected component from the list in the Maven POM Editor.
figs/web/ide-eclipse-clm-icon-search.png Locate Declarations
Starts a search, that displays all usages of a selected component in the projects currently examined as documented in Section 19.5, “Searching for Component Usages”.
figs/web/ide-eclipse-clm-icon-filter.png Filter
Brings up the filter selection, that lets you narrow down the number of components visible in the view as documented in. Section 19.4, “Filtering the Component List”.
figs/web/ide-eclipse-clm-icon-configure.png Configure
Activates the configuration dialog for the component analysis.
figs/web/ide-eclipse-clm-icon-refresh.png Refresh
Refreshes the component list and analysis results.
figs/web/ide-eclipse-clm-icon-help.png Show information about the plugin
Displays the Sonatype CLM for Eclipse support pages in an external browser.
figs/web/ide-eclipse-clm-icon-minimize.png Minimize
Minimize the view.
figs/web/ide-eclipse-clm-icon-maximize.png Maximize
Maximize the view.

The left-hand side of the view contains the list of components found in the project and identified by their artifact identifier and version number. A color indicator beside the components signals potential policy violations. The right-hand side of the view displays the details of the selected component from the list on the left.

[Tip]

You may notice some components are black or gray. This indicates components you have included (black) in your application, versus components that are included via a transitive dependency (gray).

By clicking on the list header on the left, the list can be ordered by the threat level of the policy a component has violated. In cases where there is no violation, the threat is simply light blue.

When you select a specific component in the list, the details, various properties, and a visualization of the different versions is displayed to the right of the list.

[Tip]

Depending on your screen size, the visual display may be shown below the component list. Try adjusting your screen size, or adjusting the panel.

figs/web/ide-eclipse-component-info-details.png

Figure 19.6. Details for a Component in the Component Info View


The details of a specific component as displayed in Figure 19.6, “Details for a Component in the Component Info View” include properties about the component and provide access to further features:

Group
The Maven groupId the component was published with. In many cases this is equivalent with the reverse domain name of the organization responsible for the deployment or running the project.
Artifact
The Maven artifactId of the component acts as a short and ideally descriptive name.
Version
The Maven version of the component. A version string ending in -SNAPSHOT signifies a transient, in development version, any other version is a release version.
Overridden License
The value of a license override configured in your Sonatype CLM server.
Declared License
The software license declared by the developer of the project, which in some cases, is identified during research by Sonatype, or directly from the Maven POM file.
Observed License
The licenses found by the Sonatype CLM server in a source code analysis.
Highest Policy Threat
The highest threat level policy that has been violated, as well as the total number of violations.
Highest Security Threat
The highest security threat level as well as the number of issues found with the respective level.
Patch Available
This is a future feature that will provide details in instances where a patch is available. Patches will be provided and verified by Sonatype.
Cataloged
The age of the component in the Central Repository.
Identification Source
The catalog in which a component identification match was found. This includes either a match made by Sonatype (e.g. the catalog of the Central Repository), or a match made manually (i.e. through the Sonatype CLM claiming process).
Website
If available, an information icon providing a link to the project is displayed.
View Details
Press this button to display the details view for the selected component as detailed in Section 19.6, “Inspecting Component Details”.
Migrate
Press this button to start a project refactoring that allows you to change all usages of the current component to a different version as documented in Section 19.7, “Migrating to Different Component Versions”.
Custom Metadata
This is a future feature that will allow you to display all custom metadata tags assigned to the component.
figs/web/ide-eclipse-component-info-range.png

Figure 19.7. Properties of a Component for a Version Range


The visualization chart displayed in Figure 19.6, “Details for a Component in the Component Info View” shows a number of properties for different, available versions of the selected component. Older versions are displayed on the left and newer versions on the right. Click on any section in the visualization, and all information for that particular version will be highlighted, with the specific version number at the bottom. In addition, the details for that version of the component will display in the left-hand list of properties. Arrows to the left and right of the visualization allow you to view the full range of available versions.

The properties displayed include:

Popularity
the relative popularity of a version as compared to all other component versions.
License Conflict
displays an indicator, if the observed licenses in the component are creating a legal conflict, e.g. GPL V2 and Apache V2 are not compatible for distribution of one component.
License Risk
the risk posed based on what has been set within the license threat groups. While defaults are available, these are configurable via the Sonatype CLM Server.
Security Alerts
indicators for the severity of security alerts affecting the component version.

You will likely notice a number of colors within the visualization chart. The value for each of these colors is as follows:

For Popularity
  • Grey for any versions older than the current version.
  • Green for newer, but within the same major version of the component.
  • Blue for newer component versions, but with a greater major version than the current component.
For License and Security
  • Blue - no security or license risk
  • Yellow - minor security or license risk
  • Orange - medium security or license risk
  • Red - severe security or license risk