Inventory Details Tab in the Analysis Workbench

The Inventory Details tab in the Analysis Workbench contains a sub-tab for each inventory item you have opened from the Inventory Items pane. Each sub-tab contains the following fields describing a given inventory item:

Inventory Details Tab

Category

Column/Field

Description

Header information

The Inventory Details tab header shows buttons that enable you take actions on the inventory item and lists attributes about the item and its associated component.

Recall

Click to recall (remove) a published inventory item from Inventory Items list if it does not fit the criteria for inclusion. The selected items are removed from the Project Inventory view and are only visible in the Analysis Workbench.

 

View History

Click open the Inventory History Window, which shows a list of all updates made to the inventory item up to the current date and provides details for each update.

Create Custom Rule

(Available when inventory Type is Component) Click to open the Custom Detection Rule dialog to define an new detection rule for codebase files that are associated with a third-party component but not associated with inventory. For details, see Managing Custom Detection Rules.

Save

Click to save any changes you have made to the inventory details.

Close

Click to close the Inventory Details pane without saving changes. You are asked to save changes before the actual closure.

Review Status

The status of the inventory item:

Approved—The item is approved for use in the software project.
Not Reviewed—The item has not been automatically reviewed by policy (therefore requires a manual review).
Draft—This item is in the process of being reviewed.
Rejected—The item is not approved for use in the software project. Instead, the item needs further review and remediation before being used in the software project.

Alerts

Notifies you whether or not security alerts exist for this item. If alerts exist, click the x Open Alerts or x Closed Alerts link to view their details. If no alerts exist, None is displayed. You can access the Alerts dialog from this pane to change the status or priority of an alert. For more information, see Managing Security Vulnerability Alerts.

 

Priority

A dropdown list showing the priority level given to this inventory item by the system, with P1 as the highest priority and P4 as the lowest.

You can change the priority for this inventory item by selecting a different priority from the dropdown list and clicking Save. For more information about priorities, see Inventory Priority.

Vulnerabilities

A bar graph showing the count of known vulnerabilities by severity color for the inventory item. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory.

The counts in this graph do not include vulnerabilities that are currently suppressed. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. Additionally, if the Type value for the inventory item is Work in Progress or License Only, the value N/A is displayed.

Created By

The name of the person or process that created the inventory item.

Confidence

A simple three-segment graph representing the Confidence level (High, Medium, or Low) of the inventory item. The Confidence level is the measure of the strength of the discovery technique used to generate the inventory item. The graph shows three shaded segments for High confidence, two for Medium, and one for Low.

For more information about the Confidence levels, see Inventory Confidence.

Created On

The date that the inventory item was created.

Updated On

The date that the inventory item was updated. If the item has not been updated since the creation date, the date shown here will be the same as the Created On date.

Inventory details

The following attributes describe the inventory item. You can update these attributes as needed from this pane. For details, see Editing Inventory from the Analysis Workbench or Creating an Inventory Item from the Analysis Workbench.

Name

The name of the inventory item.

Type

The type of finding of this item:

Work in Progress—A set of files with something in common. The work in progress will become a component or license only via manual audit work.
Component—Files from a specific component version with known or unknown license. If this type is selected, the Lookup Component button becomes active, enabling you to select a new component instance for the inventory item.
License Only—Files under a specific license without a known component.

Component

The name of the component. Click to view publicly available information about the component. See Component Details Window.

Click to select a new version (or license) for the component.

License

The name of the license associated with this component. Click to view additional information about the license. See License Details Window.

Click to select a new license (or version) for the component.

Description

A description of the inventory item. You can update the description as needed.

URL

The URL of the license for this inventory item. You can update the URL as needed.

 

Provenance

The source project from which the current inventory item was derived.

Note:You cannot update this property from the Code Insight Web UI in general, but you can edit it when creating or updating inventory using the Inventory REST API.

If the inventory item is not derived from another project, the value Originated in this project is displayed.

However, if the inventory item is derived from another project (for example, the inventory item was imported to the current project), the origin of the inventory is displayed with the inventory name and project name:

If the source project and inventory item still exist, this value is hyperlinked so that you can open the source project directly to the Project Inventory tab, with focus on the Inventory Details page for the original inventory item. This direct link enables you to explore the auditing and review details of the original inventory item to determine inventory history—for example, the reason the item was previously approved or rejected. If the source inventory item or its project no longer exists, no link to the original inventory item is provided.

Disclosed

The Yes or No option indicating whether the third-party component or artifact represented by the inventory item known third-party dependency in your code before it was discovered by the scan or you.

This field is used most often by analysts to denote information about the state of the inventory item.

 

Workflow URL

The URL (or a text reference such as a Jira issue number) that points to the request data pertaining to this inventory item as found in your site’s external workflow system.

When you view this value on the Inventory Details tab in Project Inventory, the URL displays as a link (labeled as View Associated Request), enabling the reviewer to easily access to the workflow data that tracks the status of open tasks for the inventory item.

A text reference entered here is not converted to a link on the Inventory Details tab, but it still provides direction in locating the appropriate data in the workflow system.

The value is None if you enter no URL or reference.

Additionally, when you view the Inventory Details tab in Project Inventory, an icon will be displayed next to the URL if additional request-related details are available for the inventory item. The reviewer can then click the icon for a quick review of pertinent details about the request without having to access the workflow system.

Notices Text tab

The Notices Text tab is used to finalize the exact content to include in the Notices report. You can edit the notices content as needed from this pane when editing an existing inventory item or creating a new one. For more information, see Finalizing the Notices Text for the Notices Report.

As-Found License Text

The As-Found License Text field shows the license text or license references found in the scanned codebase. You cannot edit this field, but you can click Copy to Notices Text to copy the text to the Notices Text field. If content already exists in the Notices Text field, you can choose either to append the As-Found License Text content to the existing notices content or to replace the existing notices content.

Notices Text

The exact content to include in the Notices report. You can edit any license text previously saved to this field or add your own license text, such as license information for rules that you developed during your manual research on the inventory item. You can also copy the As-Found License Text content to the Notices Text field and modify it as needed. Or you can leave this field empty.

If you provide information in this field, the Notices report pulls the content of only this field into the report. If this field is empty, the content of the As-Found License Text field is used in the report. If both fields are empty, the report uses the license content from Code Insight data library (see License Details from the Code Insight Data Library).

For more information, see Finalizing the Notices Text for the Notices Report.

Notes tab

The Notes tab provides information about the automated and manual analysis of codebase as it relates to an inventory item.

Detection Notes

System notes that can specify the following:

The automated detection technique that was used to locate the component
License information in the case that the license has changed from one version to another or if the component has multiple licenses
Attributes extracted from a POM or manifest file containing project and configuration details

Audit Notes

Any notes added to the inventory item by the auditor or reviewer, based on findings during the analysis. You can edit these notes as needed from this pane when editing an existing inventory item or creating a new one. See Viewing and Updating Detection and Auditing Notes in the Analysis Workbench.

Associated Files tab

Click this tab to view a list of the files that are part of the inventory for this project. Each file entry shows the following:

Action—Icons that you can click to perform certain actions on the file. Currently, only the icon shows, enabling you to disassociate the file from the inventory item.
Alias—The unique user-defined alias that was defined for the scanner (Scan Server or remote scan agent) to represent its scan-root path containing the codebase in which the file is located. The alias provides a name that is more meaningful than the scan-root path. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary tab.)
File Path—The file’s path relative to the scan-root path on instance hosting the scanner. You can click the file-path link to open the File Details tab for that file.
Evidence—The color-coded icons representing the types of open-source or third-party evidence found in the file (see Using the Filter Legend Options to Filter the Codebase for a description of the icons). A check mark indicates that the file has been reviewed.

Note:You cannot sort the file list.

Optionally, you can right-click a file entry for options that enable you to perform additional operations on the file, such as marking it as reviewed, reverting its reviewed status to unreviewed, and other operations. See Managing the Codebase Files for details about these same options that are also available from the Codebase Files and File Search Results panes in the Analysis Workbench.

To add associated files to this list, see Adding Files to Inventory From the Codebase List.

Usage tab

The Usage tab provides details on how your product uses the OSS or third-party software. You can update this information as needed from this pane when editing an existing inventory item or creating a new one. See Viewing or Editing Inventory Usage Information from the Analysis Workbench.

 

Distribution Type

The option indicating how you are distributing the OSS or third-party component associated with the inventory item. The distribution type can affect license priority and obligations:

Internal—The component is distributed internally only (for example, as an internal test framework included in the codebase but not distributed publicly with the software package).
External—The component is a separate entity from your software package. It might be shipped as a separate component along with the software package or deployed through some method, such as a private cloud at the customer site.
Hosted—The component is hosted in your company’s data center (for example, as a SAAS application)
Unknown—The distribution type is unknown.

Part of Product

The option indicating whether the item is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The value can be Yes, No, or Unknown.

Linking

The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.

Not linked—The software package uses no links to the component libraries.
Statically linked—The component libraries are included in the software materials and thus linked statically.
Dynamically linked—The component libraries are brought in at runtime.
Unknown—The type of linking is unknown.

Modified

The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The value can be Yes, No, or Unknown.

Encryption

The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The value can be Yes, No, or Unknown.

Custom Fields tab

The Custom Fields tab displays fields that were defined specifically for your site to provide information that standard Code Insight fields on the Inventory Details tab do not capture about the inventory.

If no custom fields have been defined, the tab displays the message “There are no custom fields configured”.

Use the following guidelines for entering (or editing) a value in a custom inventory field:

If available, click the icon in the upper right corner of a field to obtain help on completing the field.
You can enter a value up to 64k (64000 characters) in size.
To save the value, click the Save button next to Create Custom Rule button (in the Inventory Details tab header.