Question about automatically created inventory item and confidence level
After running the analysis of our project, the tool automatically creates an inventory item associated to the component "jsoup 1.7.2 (MIT License)" based on a jar file with MD5 code "06cca626f92fca16f8d2dd9994ff9ab0" (obtained from the url on the component information).
However, the MD5 of the file inside our project associated to the item (jsoup-1.7.2.jar) is "1E9F8AB89DEB373DCC90449FF366F006".
On a similar case, two items where automatically created for the same file (named xmlbeans-2.6.0.jar).
One of the items (xmlbeans 2.6.0[Apache-2.0]) has medium confidence level, but the MD5 of the jar file of the component matched the one on our project.
The second item (org.apache.xmlbeans 2.6.0[Apache-2.0]) one has high confidence level, but the MD5 was not the same, and when consulting the URL with the information of the component, the version associated to the inventory item did not exits.
Why the tool generates an item if Digest codes are different?
Why the level of confidence is high in these cases, when it seems the files are not the same? Is there a way to configure the level of confidence based on the detection rule of the inventory item?
Confidence Indicator for the inventory would be decided based on the following,
The rule which detects the inventory + PDL entry for the component.
Users will not have control to modify the confidence indicators, though a user can publish or un-publish the inventories based on the confidence indicator values.
MD5 for the file associated and the MD5 displayed in Analysis Workbench should be same in general. If in a case you are seeing a discrepancy, could you please locate us to the codebase which you are referring to so that we can analyze further.
2 inventories for the same file generated might be possible in few cases because of different detection techniques acted upon same file. Ideally should have reconciled. Another observation in your case is MD5 of 2 files are different. We would like to get a pointer to the codebase which you are referring to for further analysis.