Card View
Last updated
Was this helpful?
Last updated
Was this helpful?
Component scan results are grouped by the module and dependency manager from which they originated. The name of the module and path to the dependcy file are shown at the top of each grouping.
The components name and version are derived from our knowledge base data as part of our comprehensive data ingestion process.
You can navigate to the component ecosystems provenance data by clicking on the provenance link shown below. Whenever possible, we make available the oriing or our data for the purposes of transparency and trust with our users.
In the example below, the artifact absl-py originated from the Python ecosystem as evident by the pyton logo in the lower left corner of the image. Clicking the provenance icon will open a new tab to provenance of the exact version of this component. This allows users to quickly verify the integrity of our data, such as the Apache 2.0 license.
All license data is available on the component card. If a single license is discovered, then the single license is shown directly on the component card, as shown below.
If multiple licenses are discovered, then you'll see "multiple" instead of the license name and will need to click on the word "multiple" to see the list of licenses, as shown below:
For both single and multiple licenses, a colored risk marker indicates the greatest license risk level. For example, if a component is licenses under MIT or Mozilla Public License 2.0, the risk marker color will be orange, to indicate the highest risk license. An example is shown below:
The license popup menu is available by hover over the license name. The license menu provides four options:
View
The view menu option opens a dialog window that displays all available data for the license in question. An partial example is shown below.
All license attributes including permissions, limitations and conditions are available in Threatrix policy engine and may be used to create polices to drive actions.
Provenance
In an effort to provide full transparency into the origins or artifact data, including licenses, we make every effort to verify the origins of our data and provide the provenance to the user. The provenance link will display the origin of the license, whether that's the asset text, license file or repository meta data, so that you can quickly make an informed decision about the license validity and efficacy.
Reject
Rejecting a license eliminates the license from both license metrics and reports. Rejecting an existing license is not required before adding another license.
Known vulnerabilities for components are displayed on the card and color coded by severity. The number of vulnerabilities for each severity is also provided. Shown below is an especially vulnerable version of tensorflow-cpu.
Clicking on individual metrics will produce a dialog with a complete list of all vulnerabilites in the metrics risk category.
From the above list, clicking on an individual vulnerability will provide the full details.
