Component Provenance in NXRM

Examining component information within Nexus Repository Manager OSS v3.27.0, I see Containing repo listed under Summary and Provenance listed under Attributes. For every component I have inspected the Provenance always says “hashes_not_verified”.

Provenance is not documented. It should be. What do you mean when you say “Provenance”? Also, why are hashes not verified and what can I do to address that? If there answer is “all covered by NXRM Pro” then that is a important for documentation (and also helps your marketing )

My understanding of Provenance is that it all about origin. ie, Containing repo (see above) is actually part of Provenance. However Provenance also covers who the manufacturer is… the person, organization, or GitHub project that manufactured the component. None of this is provided.

Hash validation can be a part of Provenance, but is really more to do with Pedigree (the individual DNA of specific components).

Anything? Is it not a defect to have areas of functionality which are undocumented?

@msymons Thanks for raising this - yes, Provenance definitely is an area that could use a little love. What would be most valuable for you to see here? I get that it’s confusing and partial in its current state, if we removed it for now would be an improvement, or did you go to this looking for information that you need?