Examining Evidence of Open-Source Code in a Given Non-Binary File
If your project scan is configured to perform source-code matches, the scan will identify source-code snippets (also called fingerprints) in your non-binary code that match open-source and other third-party code stored in the Compliance Library (CL). The Partial Matches tab for a given codebase file shows the snippet matches as highlighted within the actual file content. This tab also includes a list of the CL files (called remote files) associated with the discovered snippets. When you select one of these remote files, the source-code highlights are refreshed to highlight only those snippets associated with the remote file.
Note:The size limit for a file that you open in the Partial Matches tab is 2 MB. If the file you want to inspect is too large, you can download and open it outside of Code Insight to inspect it manually for evidence.
To view source matches, do the following:
|
1.
|
Ensure that you have run a scan with Comprehensive Scan Profile selected in the desired project (or a custom scan profile with the Source Code Matches feature enabled). For more information, see Updating Scan Settings for a Project. |
|
4.
|
Click a codebase file in the list in File Search Results, and select the Partial Matches tab. |
|
5.
|
On the Partial Matches tab, click the Source Matches selection box at the top of the tab to enable source code fingerprint match results.
|
Three Remote Files panels are displayed:
|
•
|
The information in the Remote Files panel on the left consists of a set of files stored in the Code Insight Data Library (and thus identified in the open-source community) that contain code snippets identical to code snippets detected in the scanned file. This matching code can indicate that the scanned file in the codebase contains content that originated from outside the organization, and its origin needs to be identified. |
Note:On these panels, the files in the Data Library are called “remote” to identify them separately from the from the actual codebase files to which they correspond.
|
•
|
The Components panel lists the open source or third-party components associated with the remote file. |
|
•
|
The Licenses panel lists the licenses normally associated with the component. |
See the More About the “Remote Files” Panels on the Exact or Partial Matches Tabs for details about the functionality available from the three panels.
|
6.
|
Select a remote file in the Remote Files panel on the left to highlight the source-code snippets in the scanned file that match those in the remote file and to view the lists of associated component and license information (on the Components and Licenses panels, respectively).
|
Note that the Remote Files panel will additionally contain the following CodeRank™ values:
|
•
|
CodeRank (CR%) —A composite heuristic comprised of Coverage, Clustering, and Uniqueness values. The higher the number, the stronger the match confidence. |
|
•
|
Coverage (CV%) —The percentage of remote-file content contained in your scanned file. |
|
•
|
Clustering (CL%) —The density or proximity of remote-file matches within your scanned file. |
|
•
|
Uniqueness (U%) —An indication of how often the remote-file matches detected in the scanned file occur in the Compliance Library (CL). |
|
•
|
Matches —The number of unique matches in the scanned file. |
|
7.
|
To view the instances of other types of evidence (for example, copyrights, licenses, URLs, email addresses, and search terms) in the codebase file, click the appropriate color-coded selection boxes at the top of the Partial Matches tab. (The following shows selections boxes that have been contracted because of a reduced screen size.) |
Each instance of evidence is highlighted in the same color as its corresponding selection box.