Open Source Visibility Report, Powered by Sonatype Component Lifecycle Management (CLM)
Policy violations shown in this report are based on pre-set, standard policy definitions established by Sonatype. Learn more. Customers of the full Sonatype Component Lifecycle Management software are able to customize their policies.
This section identifies the breakdown of vulnerabilities based on severity and the threat level it poses to your application. Severity levels are based on the CVSS ratings.
This chart shows how deep within the dependency tree your issues are located.
This section defines the number of licenses detected in each category, including risk classifications.
Each main row represents a policy, organized by policy threat level. The policy name is provided for easier review.
A policy is made up of constraints, which are a set of rules referred to as conditions. When a component meets the condition (and in turn, the constraint) a violation occurs. Here are the values for the conditions that have been met.
Here are Maven coordinates for the components that violate the pre-set, standard policies included in your report. In this sample, seven components have violations to "Security- Medium Policy"
Review and investigate any security vulnerabilities found in the components in your application.
The "status" can be managed for both security and license issues. This allows your team to triage, research and track items over time and determine which issues are not applicable and should be excluded from the report.
Go directly to the source to drill down on the details for any vulnerability.
Review and investigate license information for every component in your application.
Licenses are sorted by threat level with the riskiest at the top. License are categorized as Copyleft (red), Non-standard or Not Provided (orange), Weak Copyleft (yellow) and Liberal (blue).
This section lists the specific components found in an application, also known as an application "bill of materials."
If the component is known, then we will display the Maven coordinate. If it is unknown or proprietary, then we will display the path and filename of the component as it exists in your application.
Represents whether or not a match could be found with a component in the (Maven) Central Repository. Exact matches mean the component is in Central. Similar means there are characteristics of the component siilar to component(s) in Central.