Advanced Inventory Search Dialog

The Advanced Inventory Search dialog is opened when you click the Advanced Search button at one of the following locations:

•

Inventory Items pane on the Project Inventory Tab

•

Inventory Items pane in the Analysis Workbench

•

Inventory View

Considerations When Using Advanced Inventory Searches in the Analysis Workbench

Note the following when using the Advanced Inventory Search feature in the Analysis Workbench.

•

If the Inventory Items list is filtered by published or not-published items (before or after using an Advanced Inventory search), the resulting inventory list is based on the published/not-published filter and the Advanced Inventory Search criteria.

•

Search results from Advanced Inventory Search criteria and the results of inventory searches based on associated codebase files are mutually exclusive and will overwrite each other in the Inventory Items pane. (For more information about inventory searches based on an inventory’s associated codebase files, see Showing Inventory Associated with Files Selected in the Codebase List.)

Field Descriptions

The Advanced Search dialog provides the following options that enable you to search project inventory in a variety of ways.

Advanced Inventory Search Dialog

Section

Field

Description

Inventory Items

The following options enable you to filter inventory by inventory attributes.

Inventory Name

Enter the whole or partial inventory name by which to filter the inventory display. For example, if you enter apache in this field, Code Insight will find all inventory items that contain the apache string in their names.

The name filter you enter here is automatically copied to the name filter field in the Inventory Items pane on the Project Inventory tab or in the Analysis Workbench. Likewise, if you have entered a name filter on the Inventory Items pane, it is automatically copied to this field on the Advanced Inventory Search dialog. This behavior enables you to keep the name filter persistent. You can always change or remove this filter as necessary at these locations.

Inventory Review Status

Select one or more of the following checkboxes to filter the inventory display based on the review status of inventory items:

•

Approved—Show only inventory that has been reviewed and approved, either manually by a reviewer or automatically during the auto-publish process.

•

Rejected—Show only inventory that has been reviewed and rejected, either manually by a reviewer or automatically during the auto-publish process.

•

Not Reviewed—Show only inventory that has not yet been reviewed.

For more information about the review status, see Review Status of Inventory.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Inventory Priority

Select one or more of checkboxes (P1, P2, P3, or P4) to search the inventory by inventory priority.

For more information about inventory priority, see Inventory Priority.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Inventory Type

Select one or more of these options to search inventory by its type:

•

Component—Inventory based on registered component instances. (A registered component instance represents a unique component-version-license combination found in the Code Insight Data Library or database.)

•

License Only—”Placeholder” inventory that a user might still need to verify as a valid inventory and whose evidence includes one or more groups of codebase files of unknown origin governed by a specific license. Such inventory is usually identified by the temporary name “Files under <License_name>”.

•

Work in Progress—”Placeholder” inventory that a user might still need to verify as valid inventory and whose evidence includes third-party code or artifacts.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Created By

Select one of these options to search inventory by its creator type:

•

Any—Show all inventory no matter the value of an inventory item’s Created By field.

•

Users—Show only inventory that has been manually created by users. (This type of inventory shows the user’s first and last name in the inventory item’s Created By field.)

•

System—Show only inventory generated automatically by Code Insight. (This type of inventory shows System in the inventory item’s Created By field.)

Dependency Options

Select one of the following options to filter the inventory based on dependency level:

•

All Inventory Items—Show all inventory—that is, all top-level inventory items, along with their direct (also called first-level) and transitive dependencies.

•

Only Top-Level Inventory Items—Show all top-level inventory items only. No direct or transitive dependencies are displayed.

•

Only Direct Dependency Inventory Items—Show all inventory items that are direct dependencies of top-level inventory items. See also the Note below.

•

Only Transitive Dependency Inventory Items—Show only inventory items that are transitive dependencies of top-level inventory—that is, dependencies of direct dependencies or of other transitive dependencies, all tracing back to top-level inventory. See also the Note below.

•

Only Dependency Inventory Items—Show only first-level and transitive dependencies. No top-level inventory is displayed.

Note:Currently, the filters Only Transitive Dependency Inventory Items and Only Direct Dependency Inventory Items return results for only a transitive scan performed on an NPM package. For scans performed on any other package type, no results are returned. These filters will support other package types in future releases. (Optionally, you can always use Only Dependency Inventory Items to filter to inventory items that are direct or transitive dependencies, despite their package type.)

Dependency Scope

Select the dependency scope by which to filter inventory. The scope indicates whether or not the dependency is required at runtime. For more details about dependency scopes, see Dependency Scopes in the Automated Analysis section.

•

All—Show inventory of any dependency scope: Runtime, Non-Runtime, or N/A.

Inventory items with an N/A dependency scope are classified as neither runtime nor non-runtime dependencies. The N/A scope includes top-level inventory, those dependencies for which Code Insight does not currently support the reporting of scope, and migrated inventory for which a scan has not been run.

•

Runtime—Show only dependencies that have a runtime scope (that is, are required at runtime).

This scope selection is not applicable when the scan profile is configured to report no dependencies.

•

Non-Runtime—Show only those dependencies that have a non-runtime scope (that is, are not required at runtime).

This scope selection is not applicable under either of these conditions:

•

The scan profile is configured to report no dependencies.

•

The scan profile is configured to report only runtime dependencies.

Note:Your access to inventory of a specific scope in a project can change if a certain reconfiguration has previously occurred—for example, a change to the scan profile or a re-upload of updated runtime and non-runtime dependencies—and a rescan or full rescan has subsequently taken place.

Inventory Age

Select one of the following to filter the inventory display by the time frame in which the inventory items were published:

•

Last 1 day—Show inventory published in the last day. For example, if today is Feb 6th, search from Feb 5th 12 AM.

•

Last 7 days—Show inventory published in the last week. For example, if today is Feb 6th, search from Jan 30th 12 AM.

•

Last month—Show inventory published in the last month. For example, if today is Feb 6th, search from Jan 7th 12 AM (30 days).

•

Custom Date Range—Show inventory published within the specified time frame. Select a beginning (From) and ending (To) date from the pop-up calendar.

•

Any—Show all published inventory.

Inventory Notifications

Select one or more of the following checkboxes to filter the inventory display based on security vulnerability alerts:

•

Inventory with Open Alerts—Show only inventory items that have open vulnerability alerts (that is, alerts for vulnerabilities that were discovered post-publication and have not been closed).

•

Inventory Rejected Due to New Non-Compliant Security Vulnerabilities—Show inventory items that have been rejected due to new security alerts that are non-compliant with policy.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

License Ranking Order

Select the following checkbox to filter the inventory display, showing only inventory items that are created or updated based on the ranking order of licenses specified in the License Ranking Order field on the System Settings tab:

•

Inventories whose license is set by the license ranking order—Show only inventory items that are created or updated based on the ranking oder of licenses defined in the License Ranking Order field on the System Settings tab.

Inventory Confidence Level

Select one or more Confidence levels—High, Medium, or Low—by which to filter system-generated inventory items in the inventory display.

The Confidence level is the measure of the strength of the discovery technique used by Code Insight to generate an inventory item. For a description of the Confidence levels and how they are used, see Inventory Confidence.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Inventory Usage

Usage describes how the OSS or third-party software (represented by a given inventory item) is used in your product. Select one or more values for one or more Inventory Usage criteria to filter inventory its usage.

Note the following about the processing of this criteria:

•

The criterion for each usage property defaults to Any, meaning the inventory can have any value in the search. The search does not filter inventory by a criterion with the Any value since no specific values are selected.

•

You can select one or more values for a given Inventory Usage criterion. An inventory item must match a selected value for this criterion to be considered in the search. For example, if you select Internal and Hosted for the Distribution Type criterion, an inventory item must match either Internal or Hosted to be considered in the search.

•

If you define multiple Inventory Usage criteria, the search uses “and” logic to process inventory against this criteria. That is, to be considered in the search, an inventory item must match a selected value for each Inventory Usage criterion.

For example, if you select Internal and Hosted for the Distribution Type criterion and select Dynamically Linked for the Linking criterion, only inventory defined with Internal or Hosted for its Distribution Type and Dynamically Linked for its Linking property will be considered in the search.

Distribution Type

The option indicating how the OSS or third-party component associated with an inventory item is distributed. The distribution type can affect license priority and obligations.

•

Internal—The component is distributed internally only (for example, as an internal test framework included in the codebase but not distributed publicly with the software package).

(Continued)

•

External—The component is a separate entity from your software package. It might be shipped as a separate component along with the software package or deployed through some method, such as a private cloud at the customer site.

•

Hosted—The component is hosted in your company’s data center (for example, as a SAAS application)

•

Unknown—The distribution type is unknown.

Part of Project

The option indicating whether the OSS or third-party component is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The available values are be Yes, No, and Unknown.

Linking

The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.

•

Not linked—The software package uses no links to the component libraries.

•

Statically linked—The component libraries are included in the software materials and thus linked statically.

•

Dynamically linked—The component libraries are brought in at runtime.

•

Unknown—The type of linking is unknown.

Modified

The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The available values are Yes, No, and Unknown.

Encryption

The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The available values are Yes, No, and Unknown.

Inventory Tasks

The following options filter inventory to show only those inventory items that have tasks. Refine the search using one or more task attributes—for example, task status, type, age, owner, or creator.

Task Status

Select one of the following to filter the inventory display by the current status of the tasks associated with inventory:

•

Open Tasks—Show inventory associated with at least open task.

•

Closed Tasks—Show inventory associated with at least one closed task.

•

All Tasks—Show all inventory associated with tasks, open or closed.

Tasks Type

Select one of the following to filter the inventory display by the type of task associated with inventory:

•

Manual inventory review—Show inventory associated with a least one task requesting that a manual legal or security review be performed. (This review is needed to flag the inventory as accepted or rejected.)

•

Remediate Inventory—Show inventory (currently or previously rejected) associated with at least one task requesting that software development take some action to make rejected inventory acceptable.

•

Miscellaneous—Show inventory associated with at least one task requesting that additional attention of some sort be given to the inventory.

•

Any—Show all inventory associated with tasks of any type.

Tasks Age

Select one of the following to filter the inventory display by the time frame in which tasks associated with inventory items have been created:

•

Last day—Show inventory associated with at least one task created within the last day. For example, if today is Feb 6th, search from Feb 5th 12 AM.

•

Last 7 days—Show inventory associated with at least one task created within the last week. If today is Feb 6th, search from Jan 30th 12 AM.

•

Last month—Show inventory associated with at least one task created within the last month. If today is Feb 6th, search from Jan 7th 12 AM (30 days).

(Continued)

•

Custom Date Range—Show inventory associated with at least one task created in the specified time frame. Select a beginning (From) and ending (To) date from the pop-up calendar.

•

Any—Show all inventory associated with tasks, no matter when the tasks were created.

Task Owner

Select one of the following to filter the inventory display by the user who is assigned to tasks associated with inventory items:

•

Only Mine—Show inventory associated with at least one task assigned to you (the current user).

•

Specific User—Show inventory associated with at least one task assigned to the specified user. A Select user pop-up enables you to select the user.

•

Any—Show all inventory associated with tasks, no matter to whom the tasks are assigned.

Task Creator

Select one of the following to filter the inventory display by the user who created the tasks associated with the inventory items:

•

Created By Me—Show inventory items associated with at least one task created by you (the logged-in user).

•

Specific User—Show inventory items associated with at least one task created by the specified user. A Select user pop-up enables you to select the user.

•

Any—Show all inventory items associated with tasks, regardless of who created the tasks.

Docker Layers

The following option enables you to filter the list of inventory items based on the Docker layers associated with them.

Docker Layers

Select one or multiple Docker layers from the dropdown list, which enables you to filter the list of inventory items according to the selected Docker layers.

Note:If a Docker plugin scan is performed successfully in Code Insight, the Docker Layers section is accessible.

Inventory Custom Fields

The section is displayed only if one or more custom inventory fields have been defined for your site. If such fields have been defined, each field is listed, enabling you to set up a criterion for a given field that filters inventory by the field’s value (or its lack of value).

For each field whose value you want to use as a criterion for filtering inventory, do the following:

Under the field name, select the search operation (Contains, Equals, or Is Empty) in the field on the left.

A search based on the Is Empty criterion considers the field as empty if it has no value or only empty lines (or if it is designated as null in the REST interface). (An empty line is created by pressing the Return key but typing no characters.) The search ignores any field populated with one or more numbers, characters, or symbols.

In the Search Text field on the right, enter the partial or full field value by which to search inventory. (This field is disabled if Is Empty is selected.)

If you have set up multiple custom fields as criteria, the And or Or operator pertaining across all fields in the advanced search (as selected for Apply x Criteria in the dialog) is applicable across the custom-field criteria.

•

To appear in search results when Or is selected for the advanced search, an inventory item must contain at least one of the custom-field criteria you defined.

•

To be a candidate in the search results when And is selected, an inventory item must meet all the custom-field criteria you defined.

Security Vulnerabilities

The following options enable you to filter inventory by the attributes of the security vulnerabilities associated with inventory items.

If you accessed this dialog from the Inventory View, setting any of the following security-vulnerability criteria might increase the inventory search time significantly.

Note:When you search by the ID or severity of a suppressed vulnerability, the results do not include inventory items associated with component versions for which the vulnerability was suppressed.

Security Vulnerability ID

Enter the complete valid ID for the security vulnerability by which to filter the inventory display to show only those inventory items associated with the specified vulnerability.

Security Vulnerability Severity

Select one or more vulnerability severity levels by which to filter the inventory display to show only those inventory items associated with at least one vulnerability that has one of the selected severities.

The severity-level options differ depending on the CVSS version used by Code Insight.

If CVSS v3.x (3.0 and 3.1) is used, the following severity options are available:

•

Critical (CVSS score 9.0 - 10.0)

•

High (CVSS score 7.0 - 8.9)

•

Medium (CVSS score 4.0 - 6.9)

•

Low (CVSS score 0.1 - 3.9)

•

None (CVSS score = 0)

If CVSS v2.0 is used, these severity options are available:

•

High (CVSS score 7.0 - 10.0)

•

Medium (CVSS score 4.0 - 6.9)

•

Low (CVSS score 0.1 - 3.9)

•

Unknown (N/A)

For more information about vulnerability severities, see Security Vulnerabilities Associated with Inventory.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Security Vulnerability Age

Select one of the following options to filter the inventory display by the time frame in which security vulnerabilities associated with inventory items were detected.

Note:The detection date is either the inventory creation date (if a vulnerability was reported when the inventory was created) or the date that a new vulnerability applicable to this inventory was delivered by the update service.

•

Last day—Show inventory associated with at least one vulnerability detected within the last day. For example, if today is Feb 6th, search from Feb 5th 12 AM.

•

Last 7 days—Show inventory associated with at least one vulnerability detected within the last week. For example, if today is Feb 6th, search from Jan 30th 12 AM.

•

Last 30 days—Show inventory associated with at least one vulnerability detected within the last month. For example, if today is Feb 6th, search from Jan 7th 12 AM.

•

Custom Date Range—Show inventory associated with at least one vulnerability detected within a specific time frame. Select a beginning (From) and ending (To) date from the pop-up calendar.

•

Any—Show all inventory associated with security vulnerabilities, no matter when the vulnerabilities were detected.

Licenses and Versions

The following options enable you to filter inventory by attributes of the selected license for inventory items.

If you accessed this dialog from the Inventory View, setting any of the following license criteria might increase the inventory search time significantly.

License Name

Enter the full or partial license name by which to filter the inventory display. For example, if you enter bsd in this field, Code Insight will find all inventory items whose Selected License value has the bsd string in its name.

License Priority

Select one or more license priorities by which to filter the inventory display. The display will show only those inventory items whose Selected License has one of the priorities you select:

•

P1— Viral/Strong Copyleft

•

P2—Weak Copyleft/Commercial/Uncommon

•

P3—Permissive/Public Domain

•

No License Found

For more information about license priority, see Analyzing Scan Results in a Project.

When you select multiple options for this field, the search always applies “or” logic between the selections within the field.

Version

Select No Associated Version to filter to those licenses with no version associated with them.

Actions

The following are actions you can take to define criteria logic and apply the filters.

Apply And |Or Criteria

Select the boolean operator to apply to the search criteria:

•

Or—To be included in the search results, an inventory item must contain at least one of the criteria you selected on this dialog.

•

And—To be included in the search results, an inventory item must meet all the criteria across the advanced search, as selected in this dialog. (This is the default operator.)

Apply

Click this button to apply the selected search criteria and return to the Inventory Items list (on the Project Inventory tab or in the Analysis Workbench) or to the Inventory view to see the results.

Clear Form

Click this button to return the search criteria configuration to its default state.

Click this button to close this dialog and return to the Inventory Items list or the Inventory view without applying your search criteria.