Inventory Confidence
The Automated Analysis portion of the Code Insight Scan Server uses a variety of techniques to identify inventory items from the scanned code base. The Confidence level (High, Medium, or Low) of an inventory item is a measure of the strength of the discovery technique used to generate the inventory item and the certainty of the finding. It is derived by assigning a score to the following elements:
| • | The strength of the analysis technique that provided the metadata on the inventory item. |
| • | The existence of this inventory item in the Code Insight Data Library: items that have matching components in the Data Library have higher levels of confidence. |
The Confidence level is represented as a simple three-segment graph for each inventory item in the Analysis Workbench or on the Project Inventory tab. Three shaded segments indicate High confidence, two indicate Medium, and one indicates Low.
The following Confidence graph shows Medium confidence (with two of the three segments shaded):
The Confidence level is also available as a search criterion on the Project Inventory tab and can be used to quickly identify items that may require additional triage or review.
The following describes the Confidence levels:
| • | High confidence—An inventory item of High confidence means that either the item was identified with a specific and highly targeted rule or from the processing of a structured manifest file from a package manager (such as pom.xml for the maven package manager and package.json for the npm package manager). A High-confidence inventory item almost always matches with a component in the Code Insight Data Library and rarely requires further triage or review by the Analyst. |
| • | Medium confidence—An inventory item of Medium confidence means that the item was identified using a more generic technique or by the processing of a secondary indicator to produce an inventory item. A Medium-confidence inventory item might or might not have a match to a component in the Code Insight Data Library and might require triage or review in order to be validate or further refine the finding. |
| • | Low confidence—An inventory item of Low confidence means that the inventory item was identified using a very generic rule or an exploratory detection technique, and thus might represent a component of unknown origin. Inventory of Low confidence rarely have a match to a component in the Code Insight Data Library and should be further triaged and reviewed by an Analyst for accuracy and completeness. |
The table below summarizes the various detection techniques and the corresponding confidence value:
|
Detection Technique |
Rule or Configuration File Used |
Confidence Level |
|
Analyzers |
Primary |
Hight |
|
Analyzers |
Secondary |
Medium |
|
Search term analysis |
Rules with versions |
High |
|
Search term analysis |
Component-only rules |
Medium |
|
File name analysis |
Specific rules |
Low |
|
File name analysis |
Generic rules of certain type of components |
Low |
|
File name analysis |
Generic rules |
Low |
|
Direct dependencies |
Based on package manager files (pom.xml, package.json, and so forth) |
Low by default, but can increase to Medium if matching component + version is found in the Code Insight Data Library |
|
Transitive dependencies |
Based on lookups against respective repositories (maven, npm, and so forth) |
Low by default, but can increase to Medium if matching component + version is found in the Code Insight Data Library |