Project Inventory Details Pane
The Project Inventory Details pan is located on the Project Inventory tab for the current project. It is populated with details about the currently selected inventory item on the Project Inventory tab. (For a description of the Project Inventory tab and how to access it, see Project Inventory Tab.)
The Project Inventory Details pane enables legal and security experts to review the published inventory as needed and either approve items for inclusion in the Bill of Materials or reject them until further review or remediation efforts are performed. The reviewers can create tasks for the additional reviews or for the remediation work required by software engineering to fix security or legal risks in the code. They can also finalize the third-party Notices content that can be used in the Bill of Materials.
The following table describes the Project Inventory Details pane.
|
Category |
Column/Field |
Description |
||||||||||||||||||||||||||
|
Header information |
The header on the Project Inventory Details pane provides buttons that enable you take actions on the inventory item. It also lists attributes about the item and its associated component. |
|||||||||||||||||||||||||||
|
Recall Item |
Click to recall (remove) a published inventory item from Inventory Items list if it does not fit the criteria for inclusion. The selected items are removed from the Project Inventory view and are only visible in the Analysis Workbench. The recalled item retains the status it had before the recall (until it is re-published). |
|||||||||||||||||||||||||||
|
Edit Item |
Click to open the Edit Inventory window where you can update inventory attributes, including selecting a new component, version, or license. See for Editing Inventory from the Project Inventory Tab details. |
|||||||||||||||||||||||||||
|
View History |
Click open the Inventory History Window, which shows a list of all updates made to the inventory item up to the current date and provides details for each update. |
|||||||||||||||||||||||||||
|
|
Previous Item/Next Item |
Show the details for the previous or next inventory item in the Inventory Items list. |
||||||||||||||||||||||||||
|
Confidence |
A simple three-segment graph representing the Confidence level (High, Medium, or Low) of the inventory item. The Confidence level is the measure of the strength of the discovery technique used to generate the inventory item. The graph shows three shaded segments for High confidence, two for Medium, and one for Low. For more information about the Confidence levels, see Inventory Confidence. |
|||||||||||||||||||||||||||
|
Encryption |
The Yes, No, or N/A value indicating whether the component associated with the inventory item provides the encryption capabilities used in your product. Encryption can affect export controls. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
Vulnerabilities |
A bar graph showing the count of known vulnerabilities by severity color for the component associated with the inventory item. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Working with Security Vulnerabilities. The counts in this graph do not include vulnerabilities that are currently suppressed. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. |
|||||||||||||||||||||||||||
|
Priority |
A dropdown list showing the priority level given to this inventory item by the system, with P1 as the highest priority and P4 as the lowest. Note:During a scan, the priority for auto-published inventory is automatically assigned based on the associated license. You can change the priority for this inventory item by selecting a different priority from the dropdown list and clicking Save. For more information about priorities, see Inventory Priority. |
|||||||||||||||||||||||||||
|
|
Status |
The status of the inventory item:
|
||||||||||||||||||||||||||
|
Inventory Details tab |
The Inventory Details tab lists attributes of the inventory item. |
|||||||||||||||||||||||||||
|
Name |
The name of the inventory item. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
Description |
A description of the inventory item. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
URL |
The URL of the forge repository for this inventory item. You can click the URL link to open the component website. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
purl |
The package URL for the component represented by the inventory item. This non-editable value is retrieved from the Code Insight Data Library and is applicable to a component associated with a non-custom version only. If no purl value is available in the Data Library or the version is custom, the value for this field is N/A. The use of package URLs is an attempt to standardize the way in which software packages and their locations are identified so that this information is more universal and uniform across programming languages, packaging conventions, tools, APIs, and databases. |
|||||||||||||||||||||||||||
|
|
Relationship |
The values based on the existed connections/relationships of the inventory item with another inventory items. The field displays the following values:
Note:Consider the following informations:
|
||||||||||||||||||||||||||
|
Created By |
The creator of the inventory item as either:
<user_name>—The first and last name of the user who manually created the item. |
|||||||||||||||||||||||||||
|
Created On |
The date and time that the inventory item was created. |
|||||||||||||||||||||||||||
|
|
Updated On |
The date and time that the inventory item was updated. If the item has not been updated since its creation, the date and time shown here will be the same as the Created On date and time. |
||||||||||||||||||||||||||
|
|
Provenance |
The project from which the inventory is immediately derived. You cannot update this property from the Code Insight Web UI in general, but you can edit it when creating or updating inventory using the Inventory REST API. If the inventory item is not derived from another project, the value Originated in this project is displayed. However, if the inventory item is derived from another project (for example, the current inventory item was imported or copied to the current project), the inventory and project name of the inventory item’s predecessor is displayed:
If the preceding project and inventory item still exist, this value is hyperlinked so that you can open this project directly to the Project Inventory tab, with focus on the Inventory Details page for the preceding inventory item. This direct link enables you to trace the origin of the item through its chain of predecessors, exploring the audit and review details of the preceding inventory items to determine inventory history—for example, the reason the item was previously approved or rejected. If the preceding inventory item or project no longer exists, no link is provided. |
||||||||||||||||||||||||||
|
|
Dependency Level |
The dependency level of the given inventory item (OSS or third-party component) within the Code Insight project. A direct or transitive dependency is always defined as such by its relationship with a top-level dependency—that is, inventory name is a direct (or transitive) dependency of top-level inventory name.
By default, the Dependency Level field value for a manually created inventory item is Top-level. In some cases, a given inventory item can be more than one type of dependency, such as both direct or transitive. In this case, all applicable levels are listed for the item. Note:Starting with Code Insight 2024 R3, the Dependency Level field will be available for all supported package types. For the current analyzers other than NPM, the Dependency Level field value for every dependent inventory item will be Direct, and the Dependency Level field value for all other inventory items will be Top-Level. |
||||||||||||||||||||||||||
|
|
Dependency Scope |
The dependency scope of the inventory item:
For more information, see Dependency Scopes in the Automated Analysis section. This field is not editable. Note:Your access to inventory of a specific scope in a project can change if a certain reconfiguration has previously taken place—for example, a change to the scan profile or a re-upload of updated runtime and non-runtime dependencies—and a rescan or full rescan has subsequently taken place. |
||||||||||||||||||||||||||
|
Docker layers |
The information pertaining to the Docker image layer—where an inventory item is derived. The Docker image layer information includes an alias name, layer number, and the first 4 characters of the Docker image layer’s ID value. For instance, the Docker image layer information: <alias>-layer-0-2e76 The 0 layer number indicates the base layer for the Docker image. Note:Consider the following information:
|
|||||||||||||||||||||||||||
|
Disclosed |
The property indicating whether the third-party component or artifact represented by the inventory item known third-party dependency in your code before it was discovered by the scan or you. The value is either Yes or No. This field is used most often by analysts to denote information about the state of the inventory item. |
|||||||||||||||||||||||||||
|
|
(Continued) |
This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
||||||||||||||||||||||||||
|
Alerts |
The property notifying you whether or not security vulnerability alerts exist for this item. If alerts exist, click the x Open Alerts or x Closed Alerts link to view their details. If no alerts exist, None is displayed. You can open the Alerts dialog from this pane to change the status or priority of an alert. For more information, see Managing Security Vulnerability Alerts.
|
|||||||||||||||||||||||||||
|
Modified |
The property indicating whether code from the OSS or third-party package has been modified for use by your organization. The value is either Yes, No, or Unknown. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
Tasks |
The number of open or closed tasks for this inventory item. Click the x Closed Tasks or x Open Tasks link to view and update the tasks. If no tasks are associated with this inventory item, None is displayed. You can access the Tasks dialogs from this pane to create, edit, and close tasks. See for Creating and Managing Tasks for Project Inventory details. |
|||||||||||||||||||||||||||
|
Workflow URL |
The URL link or a plain text reference (such as a Jira issue number) to request data pertaining to this inventory item in your site’s external workflow system. The link enables the reviewer to easily access the workflow data that tracks the status of open tasks for the inventory item. (The plain text reference still helps the reviewer locate the appropriate data in the workflow system.) You can define this attribute when you edit or manually create an inventory item from the Analysis Workbench or the Project Inventory tab. If no URL or reference has been defined, the value is None. If additional request-related details are available for this inventory item, the Note:These details come from the specific external workflow system associated with your site. The details can vary based on your workflow system. |
|||||||||||||||||||||||||||
|
|
Custom fields |
Any custom fields that were defined specifically for your site display at the bottom of the Inventory Details tab (after the Workflow URL field). These fields provide information that standard Code Insight fields on the Inventory Details tab do not capture about the inventory.
If no custom fields have been defined, nothing is displayed after the Workflow URL field. Use the following guidelines for entering (or editing) a value in a custom inventory field:
|
||||||||||||||||||||||||||
|
Component Details tab |
The Component Details tab lists attributes of the OSS or third-party component associated with the inventory item. |
|||||||||||||||||||||||||||
|
Component |
The name of the OSS or third-party component and internal ID, as identified in the Code Insight Data Library. You can associate the inventory item with a different component using the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
|
Version |
The component version and its internal ID, as identified in the Code Insight Data Library. You can associate the inventory item to a different version of the component using the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
||||||||||||||||||||||||||
|
Forge |
The external repository associated with the component. You can click the forge link to open the forge website. |
|||||||||||||||||||||||||||
|
Selected License |
The name of the license selected for this component. Click You can switch to a different license from the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
|||||||||||||||||||||||||||
|
Possible Licenses |
Other licenses that can be associated with the component. |
|||||||||||||||||||||||||||
|
Custom Component |
The Yes or No value indicating whether the component is custom (created by a user) or provided as part of the Code Insight Data Library. If the field value is Yes, the
If the field value is No, the |
|||||||||||||||||||||||||||
|
Custom Version |
The Yes or No value indicating whether the component version is custom (created by a user) or provided as part of the Code Insight Data Library. If the component version created by a user then the Custom Version field displays Yes, otherwise No. |
|||||||||||||||||||||||||||
|
Vulnerabilities |
A bar graph showing the count of known vulnerabilities by severity color for the component. Click the graph to view the list of vulnerabilities and their details. For details about the graph and vulnerabilities in general, see Security Vulnerabilities Associated with Inventory. If no vulnerabilities have been found for the inventory item, the value No is displayed in place of the graph. |
|||||||||||||||||||||||||||
|
|
Encryption |
The Yes, No, or N/A value indicating whether the component provides the encryption capabilities used in your product. Encryption can affect export controls. This attribute can be updated on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
||||||||||||||||||||||||||
|
|
CPE |
The list of CPE names—from the National Vulnerability Database—that are mapped to the component. CPE (Common Platform Enumeration) is a structured naming scheme that includes the component’s vendor and product names in the following format: cpe://<part>:<vendor>:<product> where <part> is either a (applications), h (hardware platforms), or o (operating systems). Note that the data provided only represents the part, vendor and product; the version information is truncated from the CPE string. |
||||||||||||||||||||||||||
|
Notices Text tab |
The Notices Text tab is used to finalize the exact content to include in the Notices report. You can edit the notices content as needed from this tab when editing an existing inventory item or creating a new one. For more information, see Finalizing the Notices Text for the Notices Report. |
|||||||||||||||||||||||||||
|
As-Found License Text |
The As-Found License Text field shows the license text or license references found in the scanned codebase. You cannot edit this field. However, if you want to use this content in the Notices report, click Copy to Notices Text to copy the text to the Notices Text field and modify it if necessary. If content already exists in the Notices Text field, you can choose either to append the As-Found License Text content to the existing notices content or to replace the existing notices content. This field is blank if no license text or references were found in the scanned codebase. If this field contains information and the Notices Text field remains blank, the Notices report uses the content in this field. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library). |
|||||||||||||||||||||||||||
|
|
Notices Text |
The exact content to include in the Notices report. You can edit any license text previously saved to this field or manually add your own license text, such as license information for rules that you developed during your manual research on the inventory item. You can also copy the As-Found License Text content (see the previous description) to the Notices Text field and modify it as needed. As a third option, you can click the Update Notices Text button to pull a copy of the current license content from the Code Insight Data Library into the Notices Text field and modify it as needed. Alternatively, you can leave this field empty. Click Save at the top of the field if you make any changes to this field. If you provide information in this field, the Notices report pulls the content of only this field into the report. If this field is empty, the content of the As-Found License Text field is used in the report. If both fields are empty, the report uses the license content from Code Insight Data Library (see License Details from the Code Insight Data Library). For more information, see Finalizing the Notices Text for the Notices Report. |
||||||||||||||||||||||||||
|
Copy to Notices Text button |
(Located within the As-Found License Text field) Click this button to copy content the text in this field into the Notices Text field and modify it as necessary. If the Notices Text field already contains content, you are given the option either to append the As-Found License Text content to the existing Notices Text content or to replace all the existing Notices Text content with the As-Found License Text content. Appended text starts on a new line after the existing content in the Notices Text field. |
|||||||||||||||||||||||||||
|
Update Notices Text button |
(Located within the Notices Text field) Click this button to copy content from the Code Insight Data Library into the Notices Text field. You can then modify the content as needed. If the Notices Text field already contains content, you asked whether to overwrite the content. If you select No, the copy operation is ended. If you select Yes, the operation proceeds. Refer to Using License Text from the Revenera Data Library in the Notices Report for the prerequisites needed to perform this copy and the types of issues you can encounter. |
|||||||||||||||||||||||||||
|
|
Save button |
Click this button to save any changes you made to the Notices Text field. The information saved to this field will be used for the inventory item in the Notices report. |
||||||||||||||||||||||||||
|
Notes & Guidance tab |
The Notes & Guidance tab provides information about the automated and manual analysis of codebase as it relates to an inventory item. |
|||||||||||||||||||||||||||
|
Detection Notes |
System notes that can specify the following:
|
|||||||||||||||||||||||||||
|
Audit Notes |
Any notes added to the inventory item by the auditor or reviewer, based on findings during the analysis. |
|||||||||||||||||||||||||||
|
Usage Guidance |
Notes helpful provided by a reviewer to assist other reviewers or to provide guidance to software engineers assigned tasks to fix or modify the use of the OSS or third-party software in the product code. |
|||||||||||||||||||||||||||
|
The Usage tab provides details on how your product uses the OSS or third-party software. You cannot update these items on the Usage tab, but you can update them on the Edit Inventory dialog (see Editing Inventory from the Project Inventory Tab). |
||||||||||||||||||||||||||||
|
Distribution Type |
The option indicating how the inventory item is distributed:
|
|||||||||||||||||||||||||||
|
|
Part of Product |
The option indicating whether the item is part of the core product or an infrastructure piece such as a build or test tool. This can affect whether third-party notices are required for this item. The value can be Yes, No, or Unknown. |
||||||||||||||||||||||||||
|
Linking |
The option identifying how your software package links to the OSS or third-party component libraries. This method can affect license priority and obligations.
|
|||||||||||||||||||||||||||
|
Modified |
The option indicating whether code from the OSS or third-party package has been modified for use by your organization. The value can be Yes, No, or Unknown. |
|||||||||||||||||||||||||||
|
Encryption |
The option indicating whether the component provides the encryption capabilities used in the product. Encryption can affect export controls. The value can be Yes, No, or Unknown. |
|||||||||||||||||||||||||||
|
Associated Files |
Click this tab to view a list of the files that are part of the inventory for this project. Each file entry shows the following:
If you have Analyst permissions, the path is hyperlinked to open to the file’s File Details tab in the Analysis Workbench, where you can view file evidence. If necessary, while in the Analysis Workbench, you can also add or remove files associated with the inventory. If you do not have Analyst permissions, the path remains in plain text. |
|||||||||||||||||||||||||||
icon is displayed next to the URL. Click the icon to open the 
icon in the upper right corner of a field to obtain help on completing the field.
to view additional information about the license. See 
icon appears next to the value. Clicking on the 
icon opens a dialog box that displays the following details:
icon does not appear.