Inventory Details Tab in the Analysis Workbench

The Inventory Details tab in the Analysis Workbench contains a sub-tab for each inventory item you have opened from the Inventory Items pane. Each sub-tab contains the following fields describing a given inventory item:

Inventory Details Tab

Category

Column/Field

Description

Header information

The Inventory Details tab header shows buttons that enable you take actions on the inventory item and lists attributes about the item and its associated component.

Recall

Click to recall (remove) a published inventory item from Inventory Items list if it does not fit the criteria for inclusion. The selected items are removed from the Project Inventory view and are only visible in the Analysis Workbench.

View History

Click open the Inventory History Window, which shows a list of all updates made to the inventory item up to the current date and provides details for each update.

Create Custom Rule

(Available when inventory Type is Component) Click to open the Custom Detection Rule dialog to define an new detection rule for codebase files that are associated with a third-party component but not associated with inventory. For details, see Managing Custom Detection Rules.

Save

Click to save any changes you have made to the inventory details.

Close

Click to close the Inventory Details pane without saving changes. You are asked to save changes before the actual closure.

Review Status

The status of the inventory item:

Approved—The item is approved for use in the software project.
Not Reviewed—The item has not been automatically reviewed by policy (therefore requires a manual review).
Draft—This item is in the process of being reviewed.
Rejected—The item is not approved for use in the software project. Instead, the item needs further review and remediation before being used in the software project.

 

Alerts

Notifies you whether or not security alerts exist for this item. If alerts exist, click the x Open Alerts or x Closed Alerts link to view their details. If no alerts exist, None is displayed. You can access the Alerts dialog from this pane to change the status or priority of an alert. For more information, see Managing Security Vulnerability Alerts.

Priority

A dropdown list showing the priority level given to this inventory item by the system, with P1 as the highest priority and P4 as the lowest.

You can change the priority for this inventory item by selecting a different priority from the dropdown list and clicking Save. For more information about priorities, see Inventory Priority.

Vulnerabilities

A bar graph showing the count of known vulnerabilities by severity color for the inventory item. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory.

The counts in this graph do not include vulnerabilities that are currently suppressed. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. Additionally, if the Type value for the inventory item is Work in Progress or License Only, the value N/A is displayed.

Created By

The name of the person or process that created the inventory item.

Confidence

A simple three-segment graph representing the Confidence level (High, Medium, or Low) of the inventory item. The Confidence level is the measure of the strength of the discovery technique used to generate the inventory item. The graph shows three shaded segments for High confidence, two for Medium, and one for Low.

For more information about the Confidence levels, see Inventory Confidence.

Created On

The date that the inventory item was created.

Updated On

The date that the inventory item was updated. If the item has not been updated since the creation date, the date shown here will be the same as the Created On date.

Inventory details

The following attributes describe the inventory item. You can update these attributes as needed from this pane. For details, see Editing Inventory from the Analysis Workbench or Creating an Inventory Item from the Analysis Workbench.

Name

The name of the inventory item.

Type

The type of finding of this item:

Work in Progress—A set of files with something in common. The work in progress will become a component or license only via manual audit work.
Component—Files from a specific component version with known or unknown license. If this type is selected, the Lookup Component button becomes active, enabling you to select a new component instance (component, version, license) for the inventory item or create a new component for the item (see Creating a Custom Component).
License Only—Files under a specific license without a known component.

Component

(Available for Component inventory types) The name of the component. Click to view publicly available information about the component. (See Component Details Window for details.) You can also do the following:

Click to select a new version (or license) for the component.
To help you make an informed decision about the version selection, you can click the View all versions link to open the Versions for <componentName> window. From here, view the list of all versions for the component and, for each version, its associated licenses and security vulnerability totals (by severity). You can also delve into more detail for each associated vulnerability. For more instructions, see Versions for <componentName> Window.

License

(Available for Component and License Only inventory types) The name of the license associated with the component or the License Only inventory item. Click to view additional information about the license. See License Details Window for further information.

For a Component inventory item, click to select a new license (or version) for the component.

 

Description

A description of the inventory item. You can update the description as needed.

URL

The URL of the forge repository for this inventory item. You can update the URL as needed.

Provenance

The source project from which the current inventory item was derived.

Note:You cannot update this property from the Code Insight Web UI in general, but you can edit it when creating or updating inventory using the Inventory REST API.

If the inventory item is not derived from another project, the value Originated in this project is displayed.

However, if the inventory item is derived from another project (for example, the inventory item was imported, copied, or branched to the current project), the origin of the inventory is displayed with the inventory name and project name:

If the source project and inventory item still exist, this value is hyperlinked so that you can open the source project directly to the Project Inventory tab, with focus on the Inventory Details page for the original inventory item. The linked inventory item enables you to trace the origin of the item through its chain of predecessors. You can explore the auditing and review details of the each preceding inventory item to determine inventory history—for example, the reason the item was previously approved or rejected.

If the source inventory item or its project no longer exists, the link to the previous inventory item is provided is permanently disabled (once the link in initially clicked).

 

Dependency Scope

(Not editable) The dependency scope of the inventory item:

Runtime—The inventory item is a dependency required at runtime.
Non-Runtime—The inventory item is a dependency not required at runtime.
N/A—The inventory item cannot be classified as a runtime or non-runtime dependency. Such items include top-level inventory, dependencies for which Code Insight does not currently support the reporting of scope, and migrated inventory for which a scan has not been run.

For more information, see Dependency Scopes in the Automated Analysis section.

Disclosed

The Yes or No option indicating whether the third-party component or artifact represented by the inventory item known third-party dependency in your code before it was discovered by the scan or you.

This field is used most often by analysts to denote information about the state of the inventory item.

Workflow URL

The URL (or a text reference such as a Jira issue number) that points to the request data pertaining to this inventory item as found in your site’s external workflow system.

When you view this value on the Inventory Details tab in Project Inventory, the URL displays as a link (labeled as View Associated Request), enabling the reviewer to easily access to the workflow data that tracks the status of open tasks for the inventory item.

A text reference entered here is not converted to a link on the Inventory Details tab, but it still provides direction in locating the appropriate data in the workflow system.

The value is None if you enter no URL or reference.

Additionally, when you view the Inventory Details tab in Project Inventory, an icon will be displayed next to the URL if additional request-related details are available for the inventory item. The reviewer can then click the icon for a quick review of pertinent details about the request without having to access the workflow system.

Notices Text tab

The Notices Text tab is used to finalize the exact content to include in the Notices report. You can edit the notices content as needed from this tab when editing an existing inventory item or creating a new one. For more information, see Finalizing the Notices Text for the Notices Report.

As-Found License Text

The As-Found License Text field shows the license text or license references found in the scanned codebase. You cannot edit this field. However, if you want to use this content in the Notices report, click Copy to Notices Text to copy the text to the Notices Text field and modify it if necessary. If content already exists in the Notices Text field, you can choose either to append the As-Found License Text content to the existing notices content or to replace the existing notices content.

This field is blank if no license text or references were found in the scanned codebase.

If this field contains information and the Notices Text field remains blank, the Notices report uses the content in this field. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library).

 

Notices Text

The exact content to include in the Notices report. You can edit any license text previously saved to this field or manually add your own license text, such as license information for rules that you developed during your manual research on the inventory item.

You can also copy the As-Found License Text content (see the previous description) to the Notices Text field and modify it as needed. As a third option, you can click the Update Notices Text button to pull a copy of the current license content from the Code Insight Data Library into the Notices Text field and modify it as needed.

Or you can leave this field empty.

If you provide information in this field, the Notices report pulls the content of only this field into the report. If this field is empty, the content of the As-Found License Text field is used in the report. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library).

For more information, see Finalizing the Notices Text for the Notices Report.

Copy to Notices Text button

(Located within the As-Found License Text field) Click this button to copy content the text in this field into the Notices Text field and modify it as necessary. If the Notices Text field already contains content, you are given the option either to append the As-Found License Text content to the existing Notices Text content or to replace all the existing Notices Text content with the As-Found License Text content. Appended text starts on a new line after the existing content in the Notices Text field.

Update Notices Text button

(Located within the Notices Text field) Click this button to copy content from the Code Insight Data Library into the Notices Text field. You can then modify the content as needed. If the Notices Text field already contains content, you asked whether to overwrite the content. If you select No, the copy operation is ended. If you select Yes, the operation proceeds. Refer to Using License Text from the Revenera Data Library in the Notices Report for the prerequisites needed to perform this copy and the types of issues you can encounter.

Notes tab

The Notes tab provides information about the automated and manual analysis of codebase as it relates to an inventory item.

Detection Notes

System notes that can specify the following:

The automated detection technique that was used to locate the component
License information in the case that the license has changed from one version to another or if the component has multiple licenses
Attributes extracted from a POM or manifest file containing project and configuration details

Audit Notes

Any notes added to the inventory item by the auditor or reviewer, based on findings during the analysis. You can edit these notes as needed from this pane when editing an existing inventory item or creating a new one. See Viewing and Updating Detection and Auditing Notes in the Analysis Workbench.

Associated Files tab

Click this tab to view a list of the files that are part of the inventory for this project. Each file entry shows the following:

Action—Icons that you can click to perform certain actions on the file. Currently, only the icon shows, enabling you to disassociate the file from the inventory item.
Alias—The unique user-defined alias that was defined for the scanner (Scan Server or remote scan agent) to represent its scan-root path containing the codebase in which the file is located. The alias provides a name that is more meaningful than the scan-root path. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary tab.)
File Path—The file’s path relative to the scan-root path on instance hosting the scanner. You can click the file-path link to open the File Details tab for that file.
Evidence—The color-coded icons representing the types of open-source or third-party evidence found in the file (see Using the Filter Legend Options to Filter the Codebase for a description of the icons). A check mark indicates that the file has been reviewed.

Note:You cannot sort the file list.

Optionally, you can right-click a file entry for options that enable you to perform additional operations on the file, such as marking it as reviewed, reverting its reviewed status to unreviewed, and other operations. See Managing the Codebase Files for details about these same options that are also available from the Codebase Files and File Search Results panes in the Analysis Workbench.

To add associated files to this list, see Adding Files to Inventory From the Codebase List.

Usage tab

The Usage tab provides details on how your product uses the OSS or third-party software. You can update this information as needed from this pane when editing an existing inventory item or creating a new one. See Viewing or Editing Inventory Usage Information from the Analysis Workbench.

 

Distribution Type

The option indicating how you are distributing the OSS or third-party component associated with the inventory item. The distribution type can affect license priority and obligations:

Internal—The component is distributed internally only (for example, as an internal test framework included in the codebase but not distributed publicly with the software package).
External—The component is a separate entity from your software package. It might be shipped as a separate component along with the software package or deployed through some method, such as a private cloud at the customer site.
Hosted—The component is hosted in your company’s data center (for example, as a SAAS application)
Unknown—The distribution type is unknown.

Part of Product

The option indicating whether the item is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The value can be Yes, No, or Unknown.

Linking

The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.

Not linked—The software package uses no links to the component libraries.
Statically linked—The component libraries are included in the software materials and thus linked statically.
Dynamically linked—The component libraries are brought in at runtime.
Unknown—The type of linking is unknown.

Modified

The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The value can be Yes, No, or Unknown.

Encryption

The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The value can be Yes, No, or Unknown.

Custom Fields tab

The Custom Fields tab displays fields that were defined specifically for your site to provide information that standard Code Insight fields on the Inventory Details tab do not capture about the inventory.

If no custom fields have been defined, the tab displays the message “There are no custom fields configured”.

Use the following guidelines for entering (or editing) a value in a custom inventory field:

If available, click the icon in the upper right corner of a field to obtain help on completing the field.
You can enter a value up to 64k (64000 characters) in size.
To save the value, click the Save button next to Create Custom Rule button (in the Inventory Details tab header.