Inventory Details Tab in the Analysis Workbench

The Inventory Details tab in the Analysis Workbench contains a subtab for each inventory item you have opened from the Inventory Items pane. Each subtab contains the following fields describing a given inventory item:

Inventory Details in the Analysis Workbench

Category

Column/Field

Description

Header information

The Inventory Details tab header shows buttons that enable you take actions on the inventory item and lists attributes about the item and its associated component.

Recall or Publish

A toggle button that shows Publish when viewing an unpublished or recalled item or Recall when viewing the details for a published inventory item.

Click Publish to publish a currently unpublished (or recalled) inventory item. In the Inventory Items pane, the item is re-listed with a filled box icon next to its name. Additionally, the inventory item is now visible on the Project Inventory tab.

Upon publication, the inventory item is automatically reviewed by the review policy currently associated with the project and is either approved, rejected, or kept it in a Draft state (Not Reviewed on the Project Inventory tab). On the Project Inventory tab, users can then further review the inventory item’s security or legal issues and, if appropriate, take steps to remediate and prepare the item for inclusion in the final Third-Party Notices report for the project.

Click Recall to unpublish a currently published inventory item in if it does not fit the criteria for a published item. In the Inventory Items pane, the item is re-listed with a clear box icon next to its name. (However, the item is removed from the Project Inventory tab.) A recalled inventory item retains the status it had before the recall (until it is re-published).

View History

Click open the Inventory History Window, which shows a list of all updates made to the inventory item up to the current date and provides details for each update.

Create Custom Rule

(Available when inventory Type is Component) Click to open the Custom Detection Rule dialog to define an new detection rule for codebase files that are associated with a third-party component but not associated with inventory. For details, see Managing Custom Detection Rules.

 

Save

Click to save any changes you have made to the inventory details. This action can trigger an automatic review of the inventory item. See Managing Policies to Automatically Review Inventory for details.

Close

Click to close the Inventory Details pane without saving changes. You are asked to save changes before the actual closure.

Review Status

The status of the inventory item:

Approved—The item is approved for use in the software project.
Draft—This item has not yet been reviewed by automatically by policy or manually by a user.
Rejected—The item is not approved for use in the software project. Instead, the item needs further review and remediation before being used in the software project.

Alerts

Notifies you whether or not security alerts exist for this item. If alerts exist, click the x Open Alerts or x Closed Alerts link to view their details. If no alerts exist, None is displayed. You can access the Alerts dialog from this pane to change the status or priority of an alert. For more information, see Managing Security Vulnerability Alerts.

Priority

A dropdown list showing the priority level given to this inventory item by the system, with P1 as the highest priority and P4 as the lowest.

Note:During a scan, the priority for auto-published inventory is automatically assigned based on the associated license.

You can change the priority for this inventory item by selecting a different priority from the dropdown list and clicking Save. For more information about priorities, see Inventory Priority.

 

Vulnerabilities

A bar graph showing the count of known vulnerabilities by severity color for the inventory item. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory.

The counts in this graph do not include vulnerabilities that are currently suppressed. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. Additionally, if the Type value for the inventory item is Work in Progress or License Only, the value N/A is displayed.

Created By

The creator of the inventory item as either:

System—Code Insight automatically generated the item per one of these detection techniques (as designated in the Notes for the inventory item) during a scan:
High Confidence Custom Auto-WriteUp Rule
High Confidence Auto-WriteUp Rule
Medium Confidence Auto-WriteUp Rule
Automated Finding
Low Confidence Auto-WriteUp Rule
High Confidence MID Rule
Low Confidence MID Rule
Audit Import
<user_name>—The first and last name of the user who manually created the item.

Confidence

A simple three-segment graph representing the Confidence level (High, Medium, or Low) of the inventory item. The Confidence level is the measure of the strength of the discovery technique used to generate the inventory item. The graph shows three dark-shaded segments for High confidence, two for Medium, and one for Low.

For more information about the Confidence levels, see Inventory Confidence.

Created On

The date and time that the inventory item was created.

Updated On

The date and time that the inventory item was updated. If the item has not been updated since its creation, the date and time shown here will be the same as the Created On date and time.

Inventory details

The following attributes describe the inventory item. You can update these attributes as needed from this pane. For a description of the inventory creation or editing process, see Creating an Inventory Item from the Analysis Workbench or Editing Inventory from the Analysis Workbench.

Name

The name of the inventory item.

Type

The type of inventory item based on the codebase files that point to evidence of a third-party or OSS component.

Work in Progress—A set of files with evidence in common. The work in progress will become a component or license only via manual audit work.
Component—Files from a specific component version with a known or unknown license. If this type is selected, the Lookup Component button becomes active, enabling you to select a new component instance (component, version, license) for the inventory item or create a new component for the item (see Using “Lookup Component” to Search for Components to Associate with Inventory).
License Only—Files under a specific license without a known component.

Component

(Available for Component inventory types) The name of the component. Click to view publicly available information about the component. (See Component Details Window for details.) You can also do the following:

Click to select a new version (or license) for the component.
To help you make an informed decision about the version selection, you can click the View all versions link to open the Versions for <component> window. From here, view the list of all versions for the component and, for each version, its associated licenses and security vulnerability totals (by severity). You can also delve into more detail for each associated vulnerability. For more instructions, see Versions for <component> Window.

 

License

(Available for Component and License Only inventory types) The name of the license associated with the component or the License Only inventory item. Click to view additional information about the license. See License Details Window for further information.

For an inventory item of the type Component, you can click next to the License field to select a new license or version from respective License or Version dropdown lists.

If you select a new license from a group of licenses under the System Suggested License category in the License dropdown or select the license from the Other Licenses category in the dropdown, the Update License Mapping window is displayed. This window gives you the option to save the license mapping at the system level. See Specifying a User-Preferred License Mapping for complete details.

Description

A description of the inventory item. You can update the description as needed.

URL

The URL of the forge repository for this inventory item. You can update the URL as needed.

purl

The package URL for the component represented by the inventory item. This non-editable value is retrieved from the Code Insight Data Library and is applicable to a component associated with a non-custom version only. If no purl value is available in the Data Library or the version is custom, the value for this field is N/A.

The use of package URLs is an attempt to standardize the way in which software packages and their locations are identified so that this information is more universal and uniform across programming languages, packaging conventions, tools, APIs, and databases.

 

Provenance

The source project from which the current inventory item was derived.

Note:You cannot update this property from the Code Insight Web UI in general, but you can edit it when creating or updating inventory using the Inventory REST API.

If the inventory item is not derived from another project, the value Originated in this project is displayed.

However, if the inventory item is derived from another project (for example, the inventory item was imported, copied, or branched to the current project), the origin of the inventory is displayed with the inventory name and project name:

If the source project and inventory item still exist, this value is hyperlinked so that you can open the source project directly to the Project Inventory tab, with focus on the Inventory Details page for the original inventory item. The linked inventory item enables you to trace the origin of the item through its chain of predecessors. You can explore the auditing and review details of the each preceding inventory item to determine inventory history—for example, the reason the item was previously approved or rejected.

If the source inventory item or its project no longer exists, the link to the previous inventory item is provided is permanently disabled (once the link in initially clicked).

 

Dependency Scope

(Not editable) The dependency scope of the inventory item:

Runtime—The inventory item is a dependency required at runtime.
Non-Runtime—The inventory item is a dependency not required at runtime.
N/A—The inventory item cannot be classified as a runtime or non-runtime dependency. Such items include top-level inventory, dependencies for which Code Insight does not currently support the reporting of scope, and migrated inventory for which a scan has not been run.

For more information, see Dependency Scopes in the Automated Analysis section.

Note:Your access to inventory of a specific scope in a project can change if a certain reconfiguration has previously occurred—for example, a change to the scan profile or a re-upload of updated runtime and non-runtime dependencies—and a rescan or full rescan has subsequently taken place.

Disclosed

The Yes or No option indicating whether the third-party component or artifact represented by the inventory item known third-party dependency in your code before it was discovered by the scan or you.

This field is used most often by analysts to denote information about the state of the inventory item.

 

Workflow URL

The URL (or a text reference such as a Jira issue number) that points to the request data pertaining to this inventory item as found in your site’s external workflow system.

When you view this value on the Inventory Details tab in Project Inventory, the URL displays as a link (labeled as View Associated Request), enabling the reviewer to easily access to the workflow data that tracks the status of open tasks for the inventory item.

A text reference entered here is not converted to a link on the Inventory Details tab, but it still provides direction in locating the appropriate data in the workflow system.

The value is None if you enter no URL or reference.

Additionally, when you view the Inventory Details tab in Project Inventory, an icon will be displayed next to the URL if additional request-related details are available for the inventory item. The reviewer can then click the icon for a quick review of pertinent details about the request without having to access the workflow system.

Notices Text tab

The Notices Text tab is used to finalize the exact content to include in the Notices report. You can edit the notices content as needed from this tab when editing an existing inventory item or creating a new one. For more information, see Finalizing the Notices Text for the Notices Report.

As-Found License Text

The As-Found License Text field shows the license text or license references found in the scanned codebase. You cannot edit this field. However, if you want to use this content in the Notices report, click Copy to Notices Text to copy the text to the Notices Text field and modify it if necessary. If content already exists in the Notices Text field, you can choose either to append the As-Found License Text content to the existing notices content or to replace the existing notices content.

This field is blank if no license text or references were found in the scanned codebase.

If this field contains information and the Notices Text field remains blank, the Notices report uses the content in this field. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library).

 

Notices Text

The exact content to include in the Notices report. You can edit any license text previously saved to this field or manually add your own license text, such as license information for rules that you developed during your manual research on the inventory item.

You can also copy the As-Found License Text content (see the previous description) to the Notices Text field and modify it as needed. As a third option, you can click the Update Notices Text button to pull a copy of the current license content from the Code Insight Data Library into the Notices Text field and modify it as needed.

Or you can leave this field empty.

If you provide information in this field, the Notices report pulls the content of only this field into the report. If this field is empty, the content of the As-Found License Text field is used in the report. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library).

For more information, see Finalizing the Notices Text for the Notices Report.

Copy to Notices Text button

(Located within the As-Found License Text field) Click this button to copy content the text in this field into the Notices Text field and modify it as necessary. If the Notices Text field already contains content, you are given the option either to append the As-Found License Text content to the existing Notices Text content or to replace all the existing Notices Text content with the As-Found License Text content. Appended text starts on a new line after the existing content in the Notices Text field.

Update Notices Text button

(Located within the Notices Text field) Click this button to copy content from the Code Insight Data Library into the Notices Text field. You can then modify the content as needed. If the Notices Text field already contains content, you asked whether to overwrite the content. If you select No, the copy operation is ended. If you select Yes, the operation proceeds. Refer to Using License Text from the Revenera Data Library in the Notices Report for the prerequisites needed to perform this copy and the types of issues you can encounter.

Notes tab

The Notes tab provides information about the automated and manual analysis of codebase as it relates to an inventory item.

 

Detection Notes

System notes that can specify the following:

The automated detection technique that was used to locate the component.
License information in the case that the license has changed from one version to another or if the component has multiple licenses.
Attributes extracted from a POM or manifest file containing project and configuration details.
Name of the SBOM file from where the inventory item generated. (This information is displayed only when the SBOM data import is perfomed on the project.)

Audit Notes

Any notes added to the inventory item by the auditor or reviewer, based on findings during the analysis. You can edit these notes as needed from this pane when editing an existing inventory item or creating a new one. See Viewing or Updating Detection and Auditing Notes in the Analysis Workbench.

Associated Files tab

Click this tab to view a list of the files that are part of the inventory for this project. Each file entry shows the following:

Action—Icons that you can click to perform certain actions on the file. Currently, only the icon shows, enabling you to disassociate the file from the inventory item.
Alias—The unique user-defined alias that was defined for the scanner (Scan Server or remote scan agent) to represent its scan-root path containing the codebase in which the file is located. The alias provides a name that is more meaningful than the scan-root path. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary tab.)
File Path—The file’s path relative to the scan-root path on instance hosting the scanner. You can click the file-path link to open the File Details tab for that file.
Evidence—The color-coded icons representing the types of open-source or third-party evidence found in the file (see Using the Filter Legend Options to Filter the Codebase for a description of the icons). A check mark indicates that the file has been reviewed.

Note:You cannot sort the file list.

Optionally, you can right-click a file entry for options that enable you to perform additional operations on the file, such as marking it as reviewed, reverting its reviewed status to unreviewed, and other operations. See Managing the Codebase Files for details about these same options that are also available from the Codebase Files and File Search Results panes in the Analysis Workbench.

To add associated files to this list, see Adding Files to Inventory From the Codebase List.

Copyrights and Usage tab

The Copyrights and Usage tab provides copyrights and usage details for a given OSS or third-party component associated with an inventory item. You can update these information as needed from this pane when editing an existing inventory item or creating a new one. See Viewing or Editing Inventory Copyrights and Usage Information from the Analysis Workbench.

 

Copyrights

Displays open-source or third-party copyrights associated with component versions of the inventory item and also open-source or third-party copyrights pertaining to its associated files.

You can edit or remove the existing open-source or third-party copyrights, sourced from the associated files and Code Insight Data Library, in the Copyrights field for an inventory item and additionally, you can also add a new open-source or third-party copyright in the same field for the inventory item. Use the following icons, available in the Copyrights and Usage tab, to manage these copyrights in the Copyrights field:

Add new copyright—Click the Add new copyright icon to add the required open-source or third-party copyright for an inventory item.
Remove selected copyright—Click the Remove selected copyright icon to remove an open-source or third-party copyright from an inventory item or its associated files.

Once you have made changes in the Copyrights field for the inventory item, click the Save button next to Create Custom Rule button (in the Inventory Details tab header).

For more information, see Inventory Copyrights and Usage Information.

Distribution Type

The option indicating how you are distributing the OSS or third-party component associated with the inventory item. The distribution type can affect license priority and obligations:

Internal—The component is distributed internally only (for example, as an internal test framework included in the codebase but not distributed publicly with the software package).
External—The component is a separate entity from your software package. It might be shipped as a separate component along with the software package or deployed through some method, such as a private cloud at the customer site.
Hosted—The component is hosted in your company’s data center (for example, as a SAAS application)
Unknown—The distribution type is unknown.

(Continued)

Part of Product

The option indicating whether the item is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The value can be Yes, No, or Unknown.

Linking

The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.

Not linked—The software package uses no links to the component libraries.
Statically linked—The component libraries are included in the software materials and thus linked statically.
Dynamically linked—The component libraries are brought in at runtime.
Unknown—The type of linking is unknown.

Modified

The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The value can be Yes, No, or Unknown.

Encryption

The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The value can be Yes, No, or Unknown.

Custom Fields tab

The Custom Fields tab displays fields that were defined specifically for your site to provide information that standard Code Insight fields on the Inventory Details tab do not capture about the inventory.

If no custom fields have been defined, the tab displays the message “There are no custom fields configured”.

Use the following guidelines for entering (or editing) a value in a custom inventory field:

If available, click the icon in the upper right corner of a field to obtain help on completing the field.
You can enter a value up to 64k (64000 characters) in size.
To save the value, click the Save button next to Create Custom Rule button (in the Inventory Details tab header.