Project Inventory Details Pane
Code Insight 2021 R1
The Project Inventory Details pane is located on the Project Inventory tab for the current project. This pane is populated with details about the currently selected inventory item on the tab. (For a description of the Project Inventory tab and how to access it, see Project Inventory Tab.)
The pane enables legal and security experts to review the published inventory as needed and either approve items for inclusion in the Bill of Materials or reject them until further review or remediation efforts are performed. The reviewers can create tasks for the additional reviews or for the remediation work required by software engineering to fix security or legal risks in the code. They can also finalize the third-party Notices content that can be used in the Bill of Materials.
The following table describes the Project Inventory Details pane.
|
Category |
Column/Field |
Description |
||||||||||||
|
Header information |
The header on the Project Inventory Details pane shows buttons that enable you take actions on the inventory item and lists attributes about the item and its associated component. |
|||||||||||||
|
Recall Item |
Click to recall (remove) a published inventory item from Inventory Items list if it does not fit the criteria for inclusion. The selected items are removed from the Project Inventory view and are only visible in the Analysis Workbench. |
|||||||||||||
|
Edit Item |
Click to open the Edit Inventory dialog where you can update inventory attributes. See for Editing Inventory from the Project Inventory Tab details. |
|||||||||||||
|
Previous Item/Next Item |
Show the details for the previous or next inventory item in the Inventory Items list. |
|||||||||||||
|
Confidence |
A simple three-segment graph representing the Confidence level (High, Medium, or Low) of the inventory item. The Confidence level is the measure of the strength of the discovery technique used to generate the inventory item. The graph shows three shaded segments for High confidence, two for Medium, and one for Low. For more information about the Confidence levels, see Inventory Confidence in the “Using Code Insight” chapter. |
|||||||||||||
|
Encryption |
The Yes, No, or N/A value indicating whether the component associated with the inventory item provides the encryption capabilities used in your product. Encryption can affect export controls. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Vulnerabilities |
A bar graph showing the count of known vulnerabilities by severity color for the component associated with the inventory item. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. |
|||||||||||||
|
|
Priority |
A dropdown list showing the priority level given to this inventory item by the system, with P1 as the highest priority and P4 as the lowest. You can change the priority for this inventory item by selecting a different priority from the dropdown list and clicking Save. For more information about priorities, see Inventory Priority. |
||||||||||||
|
Status |
The status of the inventory item:
|
|||||||||||||
|
Inventory Details tab |
The Inventory Details tab lists attributes of the inventory item. |
|||||||||||||
|
Name |
The name of the inventory item. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Description |
A description of the inventory item. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
URL |
The URL of the license for this inventory item. You can click the URL link to open the component website.This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
|
Provenance |
The source project from which the current inventory item was derived. Note:You cannot update this property from the Code Insight Web UI in general, but you can edit it when creating or updating inventory using the Inventory REST API. If the inventory item is not derived from another project, the value Originated in this project is displayed. However, if the inventory item is derived from another project (for example, the current inventory item was imported to the current project), the origin of the inventory is displayed with the inventory name and project name:
If the source project and inventory item still exist, this value is hyperlinked so that you can open the source project directly to the Project Inventory tab, with focus on the Inventory Details page for the original inventory item. This direct link enables you to explore the auditing and review details of the original inventory item to determine inventory history—for example, the reason the item was previously approved or rejected. If the source inventory item or project no longer exists, no link to the original inventory item is provided. |
||||||||||||
|
|
Disclosed |
The property indicating whether the third-party component or artifact represented by the inventory item known third-party dependency in your code before it was discovered by the scan or you. The value is either Yes or No. This field is used most often by analysts to denote information about the state of the inventory item. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
||||||||||||
|
Modified |
The property indicating whether code from the OSS or third-party package has been modified for use by your organization. The value is either Yes, No, or Unknown. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Alerts |
The property notifying you whether or not security vulnerability alerts exist for this item. If alerts exist, click the x Open Alerts or x Closed Alerts link to view their details. If no alerts exist, None is displayed. You can open the Alerts dialog from this pane to change the status or priority of an alert. For more information, see Managing Security Vulnerability Alerts. |
|||||||||||||
|
Tasks |
The number of open or closed tasks for this inventory item. Click the x Closed Tasks or x Open Tasks link to view and update the tasks. If no tasks are associated with this inventory item, None is displayed. You can access the Tasks dialogs from this pane to create, edit, and close tasks. See for Creating and Managing Tasks for Project Inventory details. |
|||||||||||||
|
|
Workflow URL |
The URL link or a plain text reference (such as a Jira issue number) to request data pertaining to this inventory item in your site’s external workflow system. The link enables the reviewer to easily access the workflow data that tracks the status of open tasks for the inventory item. (The plain text reference still helps the reviewer locate the appropriate data in the workflow system.) You can define this attribute when you edit or manually create an inventory item from the Analysis Workbench or the Project Inventory tab. If no URL or reference has been defined, the value is None. If additional request-related details are available for this inventory item, the Note:These details come from the specific external workflow system associated with your site. The details can vary based on your workflow system. |
||||||||||||
|
Component Details tab |
The Component Details tab lists attributes of the OSS or third-party component associated with the inventory item. |
|||||||||||||
|
Component |
The name of the OSS or third-party component and internal ID, as identified in the Code Insight data library. You can associate the inventory item with a different component using the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Version |
The component version and its internal ID, as identified in the Code Insight data library. You can associate the inventory item to a different version of the component using the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Forge |
The external repository associated with the component. You can click the forge link to open the forge website. |
|||||||||||||
|
Selected License |
The name of the license selected for this component. Click You can switch to a different license from the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Possible Licenses |
Other licenses that can be associated with the component. |
|||||||||||||
|
Custom Component |
The Yes or No value indicating whether the component is custom (created by a user) or provided as part of the Code Insight data library. |
|||||||||||||
|
Vulnerabilities |
A bar graph showing the count of known vulnerabilities by severity color for the component. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. |
|||||||||||||
|
Encryption |
The Yes, No, or N/A value indicating whether the component provides the encryption capabilities used in your product. Encryption can affect export controls. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
|
CPE |
The list of CPE names—from the National Vulnerability Database—that are mapped to the component. CPE (Common Platform Enumeration) is a structured naming scheme that includes the component’s vendor and product names in the following format: cpe://<part>:<vendor>:<product> where <part> is either a (applications), h (hardware platforms), or o (operating systems). Note that the data provided only represents the part, vendor and product; the version information is truncated from the CPE string. |
||||||||||||
|
Notices Text tab |
The Notices Text tab is used to finalize the exact content to include in the Notices report. For more information, see Finalizing the Notices Text for the Notices Report. |
|||||||||||||
|
As-Found License Text |
The As-Found License Text field shows the license text or license references found in the scanned codebase. You cannot edit this field, but you can click Copy to Notices Text to copy the text to the Notices Text field. If content already exists in the Notices Text field, you can choose either to append the As-Found License Text content to the existing notices content or to replace the existing notices content. |
|||||||||||||
|
Notices Text |
The exact content to include in the Notices report. You can edit any license text previously saved to this field or add your own license text, such as license information for rules that you developed during your manual research on the inventory item. You can also copy the As-Found License Text content to the Notices Text field and modify it as needed. Or you can leave this field empty. Click Save at the top of the field if you make any changes to this field. If you provide information in this field, the Notices report pulls the content of only this field into the report. If this field is empty, the content of the As-Found License Text field is used in the report. If both fields are empty, the report uses the license content from Code Insight data library (see License Details from the Code Insight Data Library). For more information, see Finalizing the Notices Text for the Notices Report. |
|||||||||||||
|
Notes & Guidance tab |
The Notes & Guidance tab provides information about the automated and manual analysis of codebase as it relates to an inventory item. |
|||||||||||||
|
Detection Notes |
System notes that can specify the following:
|
|||||||||||||
|
Audit Notes |
Any notes added to the inventory item by the auditor or reviewer, based on findings during the analysis. |
|||||||||||||
|
Usage Guidance |
Notes helpful provided by a reviewer to assist other reviewers or to provide guidance to software engineers assigned tasks to fix or modify the use of the OSS or third-party software in the product code. |
|||||||||||||
|
Usage tab |
The Usage tab provides details on how your product uses the OSS or third-party software. You cannot update these items on the Usage tab, but you can update them on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||
|
Distribution Type |
The option indicating how the inventory item is distributed:
|
|||||||||||||
|
Part of Product |
The option indicating whether the item is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The value can be Yes, No, or Unknown. |
|||||||||||||
|
|
Linking |
The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.
|
||||||||||||
|
Modified |
The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The value can be Yes, No, or Unknown. |
|||||||||||||
|
Encryption |
The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The value can be Yes, No, or Unknown. |
|||||||||||||
|
Associated Files tab |
Click this tab to view a list of the files that are part of the inventory for this project. Each file entry shows the following:
If you have Analyst permissions, the path is hyperlinked to open to the file’s File Details tab in the Analysis Workbench, where you can view file evidence. If necessary, while in the Analysis Workbench, you can also add or remove files associated with the inventory. If you do not have Analyst permissions, the path remains in plain text. |
|||||||||||||
icon is displayed next to the URL. Click the icon to open the 
to view additional information about the license. See