About the Standard Reports for Projects
The following describes the reports that come standard with Code Insight and are available for any project:
Project Report
The Project report summarizes the inventory, security vulnerabilities, remaining scan evidence, and review and remediation tasks for a selected project. It produces output in JSON and Excel format. This report is useful in understanding the existing project’s legal and security risks based on identified inventory items, as well as the additional potential risk based on the file-based scan results known as third-party indicators.
Note the following:
|
•
|
The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project. |
|
•
|
Currently, Code Insight is able to report license evidence found in remote files scanned by a scan agent. This evidence is reflected (along with evidence detected by the Scan Server) in the charts and data in the following locations: |
|
•
|
Additional Evidence section of the Summary sheet |
|
•
|
Files with License sheet (with an Alias column to help you determine which files are remote) |
|
•
|
All Scanned Files sheet |
|
•
|
When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath> (or as separate properties). The alias is a unique descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary sheet.) |
|
•
|
The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) |
|
•
|
Suppressed security vulnerabilities are not shown in this report, and total counts for vulnerabilities do not include suppressed vulnerabilities. |
Audit Report
Audit reports provide another way to distribute your research and findings to others in your organization. Only published inventory items appear in Audit reports.
Note the following:
|
•
|
The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project. |
|
•
|
When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath>. The alias is a unique, descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual scan root for each scanner associated with a project is available on the project’s Summary sheet.) |
|
•
|
The total lines of code listed on the Summary sheet is based on the server-side codebase only; the total does not include lines of code in the remote codebase(s). |
|
•
|
The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) |
|
•
|
Suppressed security vulnerabilities are not shown in this report, and total counts for vulnerabilities do not include suppressed vulnerabilities. |
Notices Report
Code Insight provides the ability to produce a Notices report to satisfy the attribution requirements of most open source licenses. The report is created in text format.
After Engineering has completed the remediation plan, resolving all rejected inventory items, the codebase is rescanned until it is approved for release. When the codebase is approved for release, you need to generate a Notices report to accompany the software application. This report is a compilation of all the open source/third-party components contained in the product and their license content (notices).
The Notices report shows only published inventory. The inventory can be system-generated or custom and of any type—Work in Progress, Component, or License.
The following items can appear in the Notices report for each inventory item:
|
•
|
Inventory name—The entry in this field is based on naming conventions, which is usually the component name, version, and governing license name. |
|
•
|
Inventory URL—If the inventory URL is not available, Code Insight uses the associated component URL. If both are unavailable, no URL will appear in the report. |
|
•
|
Inventory Notices Text— The final “notices” text associated with the inventory item. It is pulled from the Notices Text field on the Notices Text tab for a selected inventory item in the Analysis Workbench or in Project Inventory. If this field is empty, Code Insight uses the content in the As-Found License Text field (also on the Notices Text tab), which shows the verbatim text license text found in the codebase by the system. If no As-Found License Text or Notices Text information is available, the text pulled from the Revenera Data Library for the selected license is used in the Notices report. For more information, see Finalizing the Notices Text for the Notices Report |