This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
sewechad
Active participant
Aug 06, 2019
03:34 PM
1 Kudo
This is a terrible solution. Attached is my proposal for how CodeInsight should support versions.
... View more
Aug 06, 2019
03:29 PM
Yes - Publish without save does not result in "Approval" but Save & Publish does result in "Approval. This sounds like a bug.
... View more
Jul 15, 2019
09:10 PM
1 Kudo
We are using FlexNet CodeInsight 2019 R1. I see how to export "Project Data" on the summary page but don't see an option to import JSON file into newly created project. Your solution should mirror how source code repositories are managed with branching and tagging. We don't ever want to loose the time and effort researching inventory items. If an inventory item is no longer used, it should be marked as deprecated rather than permanently deleted. Ideally, we should be able to classify the software version number when uploading source code to a project so that changes to inventory items can be tracked by software version.
... View more
Jul 15, 2019
08:49 PM
Your comments did not address the issue. Below are some examples to further explain the problem. Exact Matches Example: Scan detected icon file "Magic_Wand.png" in source code and provides potential matches to 58 open source projects. None of these open source projects were the author of the file which was located at https://www.iconfinder.com/icons/58574/magic_wand_icon along with details on author and license. Since all 58 project contain the exact file, it would be good to establish timeline to know who created the file first to help narrow search. In this specific example, they likely all copied off internet. It would be good enhancement for CodeInsight to index the publicly available image & icons from https://www.iconfinder.com & http://www.softicons.com Partial Match Example: Scan detected partial code match against >1000 open source projects which all had 95% code match. When there is such as large number of potential matches, it would be good to establish timeline to know who created the file first to help narrow search. We eventually located the author website https://www.wpftutorial.net/PasswordBox.html by searching Google using code snippet of the first couple of lines.
... View more
Jun 28, 2019
04:54 PM
2 Kudos
The Flexera CodeInsight product datasheet (https://www.flexerasoftware.com/media/datasheets/datasheet-fci.pdf) says it can identify open source components in Docker Containers. After some testing, I am seeing results that are incomplete in identifying open source components within a simple project. I found an article which discusses containers and license compliance (https://lwn.net/Articles/752982/). The article mentioned that VMWare has started a project to be able to the create of a bill of materials (BOM) for a container image (https://github.com/vmware/tern). Flexera can look how to use this tool to improve their product.
... View more
Jun 28, 2019
04:42 PM
We have seen odd behavior when uploading new versions of the software and starting a new scan. Training from Flexera did not cover procedure on what steps to take. We have seen inventory research get deleted which represents a huge loss of time and effort. What are the best practices for handling scans for new software versions?
... View more
Jun 28, 2019
04:34 PM
2 Kudos
What is the best practices from Flexera for handling false positives? Mark file as reviewed only Create unpublished inventory item called "False Positives" Create multiple "False Positive" unpublished inventory items -- Use information to modify scan profile to avoid false positives in future
... View more
Jun 28, 2019
04:15 PM
2 Kudos
The open source external reference sites for partial and exact matches results in a lot of wasted time chasing false positives since the actual original source is not included in the search results. The product needs to identify the true origin of the source rather than rather than listing all possible matches from the universe of open source projects. From a usability perspective, any match list beyond 10-20 items is impractical to research manually! If the match list is too large, CodeInsight should offer methods of narrowing the list of search items such as: Include the ability to sort by earliest occurrence date -- The earliest file contain the source match is more likely to the be the original source code Establish code lineage (i.e. graph relationship model) Identify if any of the match items include attribution to the original source code
... View more
Jun 28, 2019
03:07 PM
Regardless of inventory type ("component" or "license only"), the policy approval process should be consistent (see difference for review status below).
... View more
Jun 28, 2019
03:01 PM
We would like to be able to search and find all records that containing search text. Current solution only finds "starts with".
... View more
Jun 28, 2019
02:53 PM
The usage tab introduced in 2019 R1 release needs the following clarification: Distribution – What does internal mean? From the documentation, the example provided is for development tools that is not part of the final build. We think internal distribution should be defined as for software that is package with the build but only distributed to internal company users. You should have a separate entry called “Not Distributed” for components that are not in the final build (i.e. test harness codebase). Part of Product – This question should come before distribution. If component is not part of the final build and not part of the product, then it would not be distributed. If “No” is selected for “Part of Product”, then the “Distribution Type” should default to “Not Distributed”. Linking – Please define “Not Linked”. We assume code copied into program source file would be an example of “Not Linked”
... View more
Jun 28, 2019
02:50 PM
Inventory items are tightly associated with files. When we have a software version change, there can be changes to the 3rd party license component file names (cxf-core-3.3.1.jar to cxf-core-3.3.2.jar). When uploading a new zip file and selecting “delete existing project codebase”, all inventory items are deleted if the new zip file does not contain the exact file name associated with existing inventory items. The time and effort researching license information for inventory items should not be discarded so quickly. When uploading zip files, you can either: Upload zip with no deletion Pro: Preserves inventory items Con: Unused folders and files stay around forever. Orphaned inventory items must be removed manually. Upload new zip with deletion (overwrite existing files/folders) Pro: Folders and files are up-to-date with source control system Con: Inventory item research (audit notes, approvals, license text, etc.) is lost forever once the inventory item is deleted because of file/folder name changes The user should be given the option to preserve inventory items. This should be the default since it is a huge waste of time and effort to redo the license analysis research. I would propose that the upload with deletion only change the status of the inventory items to “deprecated”. The analyst will then have the option to either: Delete the inventory item -- This would be used if the component was no longer used in the application Associate the inventory item with new files uploaded in the zip -- Small file name changes (cxf-core-3.3.1.jar to cxf-core-3.3.2.jar) will be handled without losing prior license audit notes and legal team approvals
... View more
Jun 28, 2019
02:42 PM
The automated component detection only identifies sub-components of a larger development framework. For example, our developers may be using Spring Boot framework, Angular 7 framework, etc. and CodeInsight will find 100+ sub-components and provide no hierarchy information for which components belong to the larger framework. This causes our analysts to waste a lot of effort researching the license of the sub-component. The product should provide a method for establishing a license component hierarchy (see examples below) for complex open source frameworks so that we don’t have to waste a lot of effort researching obscure sub-component licenses. Apache CXF (Apache 2.0) Component 1 (MIT) WSDL4J (CPL) à Weak Copyleft but follows ASF policy guidelines to only include binary file Spring Boot (Apache 2.0) Component 1 (MIT) … Component 100 (CPPL) Angular 7 JavaScript Framework (MIT) Node package 1 (MIT) … Node package 1000 (???)
... View more
Jun 28, 2019
02:35 PM
1 Kudo
The automated component detection creates inventory items with unknown license types. This happens under the following scenarios: Automated component detection publishes inventory items with "I don't know" license type There are multiple license options (i.e. CDDL or GPL with Classpath Exception) The component does not have a license Automated component detection creates unpublished inventory items with "Work In Progress" license type The published items with the "I don't know" license type are labeld as P3 and marked as “Pending”. It does not make sense to me that an inventory item can be published for approval if the license type is not known. If a license cannot be determined, the automated fining should be unpublished state so that the analyst can determine the correct license type.
... View more
Jun 28, 2019
02:15 PM
1 Kudo
Currently, the License Policy only provides simplistic capability to approve or reject a license. We would like to add the capability to “Approve with Conditions” with the ability to define rule based criteria for when the license usage would be approved. The License Policy conditional rules would be aligned with the Inventory Details Usage questions that were introduced in 2019 R1. This feature would allow our legal team to create more fine grain licensing rules and spend less time reviewing project request that could be handled by conditional approvals rules. Example Conditionally Approved Rules: 1) MPL license would be approved if the open source code was “Not Modified” 2) EPL license would be approved if the following conditions were met: a) Open source code was “Not Modified” b) Component was “Dynamically Linked”
... View more
Latest posts by sewechad
Subject | Views | Posted |
---|---|---|
4163 | Aug 06, 2019 03:34 PM | |
1285 | Aug 06, 2019 03:29 PM | |
4425 | Jul 15, 2019 09:10 PM | |
913 | Jul 15, 2019 08:49 PM | |
958 | Jun 28, 2019 04:54 PM | |
4484 | Jun 28, 2019 04:42 PM | |
764 | Jun 28, 2019 04:34 PM | |
955 | Jun 28, 2019 04:15 PM | |
1383 | Jun 28, 2019 03:07 PM | |
723 | Jun 28, 2019 03:01 PM |
Activity Feed
- Got a Kudo for Scanning Docker Files. Apr 06, 2020 03:35 PM
- Got a Kudo for Partial and exact matches results in a lot of wasted time chasing false positives. Nov 22, 2019 10:52 AM
- Got a Kudo for “I don’t know” license type should not be published. Aug 26, 2019 12:33 PM
- Got a Kudo for Re: Version Scanning Best Practices. Aug 15, 2019 02:02 PM
- Got a Kudo for Re: Version Scanning Best Practices. Aug 07, 2019 06:29 PM
- Posted Re: Version Scanning Best Practices on Code Insight Forum. Aug 06, 2019 03:34 PM
- Posted Re: License Policy auto-approval is dependent on Type (“Component” versus “License Only”) on Code Insight Forum. Aug 06, 2019 03:29 PM
- Got a Kudo for License Policy Enhancement for Conditional Approvals using Criteria from Inventory Details Usage. Jul 24, 2019 04:59 PM
- Got a Kudo for False Positive Best Practice. Jul 19, 2019 08:10 AM
- Kudoed Re: License Policy Enhancement for Conditional Approvals using Criteria from Inventory Details Usage for sgeary. Jul 16, 2019 11:37 PM
- Posted Re: Version Scanning Best Practices on Code Insight Forum. Jul 15, 2019 09:10 PM
- Posted Re: Partial and exact matches results in a lot of wasted time chasing false positives on Code Insight Forum. Jul 15, 2019 08:49 PM
- Got a Kudo for Partial and exact matches results in a lot of wasted time chasing false positives. Jul 15, 2019 12:26 PM
- Got a Kudo for False Positive Best Practice. Jul 15, 2019 11:49 AM
- Got a Kudo for Scanning Docker Files. Jul 15, 2019 11:31 AM
- Posted Scanning Docker Files on Code Insight Forum. Jun 28, 2019 04:54 PM
- Posted Version Scanning Best Practices on Code Insight Forum. Jun 28, 2019 04:42 PM
- Posted False Positive Best Practice on Code Insight Forum. Jun 28, 2019 04:34 PM
- Posted Partial and exact matches results in a lot of wasted time chasing false positives on Code Insight Forum. Jun 28, 2019 04:15 PM
- Posted License Policy auto-approval is dependent on Type (“Component” versus “License Only”) on Code Insight Forum. Jun 28, 2019 03:07 PM
Contact Me
Online Status |
Offline
|
Date Last Visited |
Apr 16, 2020
01:02 PM
|