Sonatype Lifecycle product logo

InnerSource Insight in Sonatype Lifecycle

Current Status
Not Enrolled
Get Started


This course will demonstrate how to identify and manage the transitive dependencies brought in from your own InnerSource components – which are components that are internally developed and shared with your other internal projects.

Course Goals

In this course, we’ll explore a new feature in Sonatype Lifecycle, called InnerSource Insight. This feature enables you to reduce the impact of transitive dependency violations that come directly from proprietary components from within your own organization.

Component detail page showing an overview of the Commons-Fileupload component and how to remediate risk.

The difficulty with remediating these specific policy violations is understanding they are NOT direct dependencies, but in fact, transitive dependencies of the InnerSource component. Teams struggle with identifying how those open source vulnerabilities align to their internally developed components.

The transitives are the source of the policy violation but the fix is with the InnerSource component.


By the end of this course, you will be able to:

  • Summarize the relationship between direct and transitive dependencies
  • Describe the difference between open source and InnerSource components
  • List the requirements to view and identify InnerSource results in Lifecycle
  • Identify transitive dependencies of the InnerSource components 
  • View existing waivers
PrerequisitesBecause this is not beginner level material, you should have familiarity with the following before taking this course:
– A basic understanding of Maven and the Sonatype CLM for Maven plugin
– Experience with Sonatype Lifecycle or have taken the IQ-100 Foundations course
– Basic remediation concepts or have taken the IQ-103 Component Remediation course
Target AudienceThe target audience for this course is Sonatype Lifecycle users who view and work with the results produced by a scan generated Software Bill of Materials (SBOM) for an application.

InnerSource Insight provides huge value to developer and security teams by focusing on actionable results about your project dependencies. It removes the noise and manual investigative work required to determine which dependencies are direct and which are transitive.
Est. Time to Complete~ 30 minutes
System RequirementsSystem requirements do not apply to this course. These are provided as requirements for using InnerSource Insight in your environment.

– Refer to the latest IQ/Lifecycle version requirements in our technical guide
– The InnerSource component must be scanned with Sonatype Lifecycle prior to scanning the consuming application
– Java Applications – Scan with either the Maven CLM or Gradle Plugin
– Javascript Applications – Must contain npm manifest files to identify InnerSource and other dependency types. Checkout the npm Application Analysis Documentation for more information.

The Sonatype platform is available in cloud, self-hosted, and disconnected deployment options. Be advised that the visuals in this course could be sourced from any (or all) of the three. The screens may have a different display, but the content and concepts remain generally the same.
Setting ExpectationsIt is assumed learners have at least beginner-level competency in:
– Key terms used in code development
– Source code management using GitHub

Version Info: Users with an IQ Server version below 128 will see the old Component Information Panel. Learn more about the CIP and all its features by clicking the link.