Examining component information within Nexus Repository Manager OSS v3.27.0, I see
Containing repo listed under Summary and
Provenance listed under Attributes. For every component I have inspected the
Provenance always says “hashes_not_verified”.
Provenance is not documented. It should be. What do you mean when you say “Provenance”? Also, why are hashes not verified and what can I do to address that? If there answer is “all covered by NXRM Pro” then that is a important for documentation (and also helps your marketing )
My understanding of Provenance is that it all about origin. ie,
Containing repo (see above) is actually part of Provenance. However Provenance also covers who the manufacturer is… the person, organization, or GitHub project that manufactured the component. None of this is provided.
Hash validation can be a part of Provenance, but is really more to do with Pedigree (the individual DNA of specific components).