Code Insight Reports

Code Insight Reports

Code Insight Reports

Code Insight offers standard reports that are packaged with the release contents, as well as a number of other useful reports available for download from our GitHub SCA report repositories. With our flexible Custom Reports Framework, these reports can easily be modified to report only on information most critical to you or you can create your own custom report from scratch.

Listing of Available Reports

The following is a list of reports currently available for use with Code Insight. This list will be updated as additional reports become available.

  • Project Report
  • Audit Report
  • Notices Report
  • Project Vulnerabilities Report
  • Project Compliance Report
  • Project Comparison Report
  • Project Inventory Report with Hierarchy
  • SPDX Report
  • Claimed Files Report
  • Third-Party Evidence Report

Standard Reports

Project Report

The Project Report provides a summary and comprehensive view into a given project. This is one of our most popular reports - executives appreciate it for its high-level summary and operational risk assessment; development teams use it for archiving, backup and comparison of projects; legal uses it for a quick view of file-level copyrights and license information.

The Project Report shows all project inventory organized by inventory priority, security vulnerabilities organized by severity, remaining scan evidence, and review and remediation tasks for the project. In addition, it provides an operational risk index to indicate overall project risk and lists all scanned files and their respective scan evidence. It also benchmarks the project against other known OSS projects that we see in the business.

The report is available in JSON and Excel format. The calculations for operational risk index can be customized to suit the needs of your organization. The Excel version of the report includes the following tabs:

Project Report: Summary Tab

project_report_example1.JPG

Project Report: Benchmarks Tab

project_report_benchmarks.JPG

Things to Note About the Project Report

  • The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project.
  • Currently, Code Insight is able to report license evidence found in remote files scanned by a scan agent. This evidence is reflected (along with evidence detected by the Scan Server) in the charts and data in the following locations:
    • Additional Evidence section of the Summary sheet
    • Files with License sheet (with an Alias column to help you determine which files are remote)
    • All Scanned Files sheet
  • When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath> (or as separate properties). The alias is a unique descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary sheet.)

• The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.)

Audit Report

The Audit Report provides another way to distribute your research and findings to others in your organization. Only published inventory items appear in the Audit reports so that items that are ready to be shared with the broader team can be presented in a clean manner while analysts continue their reviews on in-progress items.

Audit Report: Summary View

audit_report_example.JPG

Things to Note about the Audit Report

  • The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project.
    When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath>. The alias is a unique, descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual scan root for each scanner associated with a project is available on the project’s Summary sheet.)
  • The total lines of code listed on the Summary sheet is based on the server-side codebase only; the total does not include lines of code in the remote codebase(s).
  • The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.)

Notices Report

Code Insight provides the ability to produce a Notices report to satisfy the attribution requirements of most open source licenses. The report is created in text format.

After Engineering has completed the remediation plan, resolving all rejected inventory items, the codebase is rescanned until it is approved for release. When the codebase is approved for release, you need to generate a Notices report to accompany the software application. This report is a compilation of all the open source/third-party components contained in the product and their license content (notices).

The Notices report shows only published inventory. The inventory can be system-generated or custom and of any type—Work in Progress, Component, or License.

The following items can appear in the Notices report for each inventory item:

  • Inventory name—The entry in this field is based on naming conventions, which is usually the component name, version, and governing license name.
  • Inventory URL—If the inventory URL is not available, Code Insight uses the associated component URL. If both are unavailable, no URL will appear in the report.
  • Inventory Notices Text— The final “notices” text associated with the inventory item. It is pulled from the Notices Text field on the Notices Text tab for a selected inventory item in the Analysis Workbench or in Project Inventory. If this field is empty, Code Insight uses the content in the As-Found License Text field (also on the Notices Text tab), which shows the verbatim text license text found in the codebase by the system. If no As-Found License Text or Notices Text information is available, the text pulled from the Code Insight data library for the selected license is used in the Notices report. For more information, see Finalizing the Notices Text for the Notices Report

Notices Report View

notices_report_example.JPG

Other Available Reports

In Code Insight 2020 R1, we released a Custom Reports Framework which enables anyone with coding skills to create custom reports for Code Insight and register them for direct access in the product. The framework provides flexibility not only for our customers, but also for the Revenera team in order to bring you reports outside of our regular release schedule. Here are a few of our most popular reports:

Project Vulnerabilities Report

This is a security-focused report that calls out all vulnerable project inventory and lists of associated vulnerabilities. Use this report to quickly review security issues or to share data with your Security team. The report supports search and click-through to the vulnerable inventory in Code Insight for additional review.

Vulnerabilities Report: Summary View

project_vulnerability_report_example.JPG

Project Compliance Report

This report lets you visualize inventory items for a project along with their current compliance issues. Compliance issues listed in this report are P1 licenses, rejected inventory items, unreviewed items, the presence of security vulnerabilities and outdated (old) versions but the report can be modified to report on compliance issues of interest to your organization. For example, if you are not working with products that are shipped and want to create a security-centric report, this is possible with a few modifications to the report code.

 compliance_report_example.JPG

Project Comparison Report

This report compares the inventory between two projects (e.g. two different products or two releases of the same product).

Project Inventory Report with Hierarchy

If you have designated a parent/child hierarchy for your projects in order to better represent your company offerings, the Project Inventory Report can be used to easily report across multiple projects. Running the report for the parent project will pull in all child projects. This is useful for keeping track of your software bill of materials (SBOM) and can be further customized to report on other inventory attributes, such as third-party notices to generate notices across projects.

Compliance Report: Summary View

project_inventory_report_with_hierarchy_example.JPG

HTML Report Functionality

The majority of Code Insight reports are available in HTML format and can be loaded directly in the browser with the following functionality:

  • The columns in the report can be sorted by clicking on the column header
  • A search box is available for quickly locating specific parts of the report. The search is performed across all columns in the report.
  • You can use the page numbers at the bottom to jump to a specific location
  • Reports link back to the project(s) where the report originated to show you a live view of your inventory and evidence
Was this article helpful? Yes No
No ratings
Version history
Revision #:
13 of 13
Last update:
‎May 18, 2021 07:08 PM
Updated by:
 
Contributors