Skip to content
English
Contact Support Customer portal Sign in
Go to netrise.io
  • There are no suggestions because the search field is empty.

Provenance Explorer User Guide

Introduction

NetRise Provenance Explorer is a software supply chain intelligence platform that helps you understand the origins, maintainers, and security posture of the open-source components in your software. Whether you are a security engineer investigating a dependency, a CISO assessing organizational risk, or an SBOM vendor enriching your data, Provenance Explorer provides the visibility you need.

The platform consists of three interfaces: the Provenance Explorer web application (the UI), the CLU and the Provenance REST API. All three provide access to the same underlying data. This guide covers the web application in detail.

What You Can Do

  • Look up contributors by email address or GitHub username to view their identity, contributions, locations, and security posture.
  • Explore packages by Package URL (PURL) to see metadata, dependencies, repository mappings, and downstream dependents.
  • Analyze repositories by URL to view contributors, associated packages, geographic distribution, and health metrics.
  • Investigate advisories to understand blast radius — which contributors, packages, and repositories are affected.
  • Access everything programmatically through a RESTful JSON API with bearer token authentication.

Getting Started

Accessing the Application

Navigate to the Provenance Explorer URL provided by your NetRise administrator. Log in with your credentials. Upon successful authentication, you will land on the Dashboard.

Navigation

The left sidebar provides access to all major sections of the application:

Section

Description

Dashboard

Home page with usage statistics and quick actions

Contributors

Search for contributors by email or GitHub username

Packages

Look up package provenance data by PURL

Repositories

Analyze source code repositories by URL

Advisories

Browse and search security advisories

History

View your past searches

Favorites

Access bookmarked contributors, packages, or repos

Settings

Manage account and API settings

Usage

View API usage statistics

User Management

Admin: manage users and permissions

Tip: Quick Search Use the search bar at the top of any page (Ctrl+K) to quickly search across contributors, packages, and repositories from anywhere in the application.

Dashboard

The Dashboard is your home page and provides a high-level overview of your activity in Provenance Explorer. At the top, you will see summary statistics showing your Total Searches, Favorites, Contributors Searched, and Packages Explored.

Quick Actions

The Dashboard offers three quick-action cards to jump directly into common workflows:

  • Lookup Contributor: Search by email or GitHub username.
  • Explore Package: Get provenance data by PURL.
  • Analyze Repository: View repo contributors and packages.
  • Advisories: Browse and search security advisories across packages and ecosystems.

 

Contributor Lookup

The Contributor Lookup page allows you to search for information about open-source contributors. This is useful for vetting maintainers of critical dependencies, understanding who is behind a project, or investigating a contributor flagged by an advisory.

How to Search

  1. Navigate to Contributors in the left sidebar.
  2. Choose your search method from the "Search By" dropdown: Email Address or GitHub Username.
  3. Enter the email address or username in the search field.
  4. Click Search.

Understanding Contributor Results

When a contributor is found, their profile is displayed with several tabs of information. If the contributor is associated with any NetRise advisories, an advisory badge (e.g., NETR-2024-0001) will appear next to their name, indicating whether they are directly or indirectly associated.

Identity Tab

The Identity tab displays the contributor’s known names (including aliases), email addresses, and GitHub usernames. This information is aggregated from commit histories and public profiles.

Contributions Tab

The Contributions tab shows all packages the contributor has committed code to. Results can be displayed in List or Grouped view. In Grouped view, packages are organized by type (e.g., apk, deb, rpm) and then by distribution (e.g., alpine, ubuntu). Each package entry shows the version and distribution details such as architecture and distro version.

Locations Tab

The Locations tab displays any geographic information associated with the contributor. Locations are derived from public profile data, email domain country codes, organization locations, and other attribution methods. Each location includes a confidence score and the methods used to determine it.

Security Tab

The Security tab provides critical security intelligence about a contributor, including whether their email has appeared in known data breaches (via Have I Been Pwned integration), their signed commit ratio, signing key status, and any detected key changes. This data is available when the contributor’s profile has been enriched through NetRise’s offline curation process.

Package Lookup

The Package Lookup page lets you explore detailed provenance data for software packages. You search by Package URL (PURL), a standardized identifier that encodes the package type, vendor, name, version, architecture, and distribution.

How to Search

  1. Navigate to Packages in the left sidebar.
  2. Enter a full PURL in the search field, or click PURL Builder to construct one interactively.
  3. Click Search.

Using the PURL Builder

If you are unsure how to construct a PURL manually, the PURL Builder provides a guided, form-based interface. Click the PURL Builder button next to the search field on the Packages page to open the builder modal.

The PURL Builder walks you through each required field:

OS Packages:

  1. Package Type — Select the package format from the dropdown (e.g., Debian .deb, RPM .rpm, Alpine .apk).
  2. Namespace — Enter the vendor or distribution source (e.g., debian, ubuntu, centos, alpine).
  3. Package Name — Enter the name of the package (e.g., curl, openssl, nginx).
  4. Version — Enter the full version string including any release suffixes (e.g., 7.68.0-1, 1.2.3-r1).
  5. Architecture — Select the CPU architecture from the dropdown (e.g., amd64, arm64, x86_64).
  6. Distribution — Select the OS distribution and version from the dropdown (e.g., ubuntu-22.04, debian-12).

As you fill in each field, the Generated PURL preview at the bottom of the modal updates in real time, showing you the exact PURL string that will be used. Once all fields are complete, click "Use This PURL" to populate the search field and run the query, or click "Cancel" to close the builder without searching.

Understanding Package Results

Package results are organized into four tabs, each providing different perspectives on the package.

Details Tab

The Details tab shows core metadata about the package including its homepage URL, license information, architecture, and distribution. If the package is associated with any advisories, an advisory badge is displayed.

Dependencies Tab

The Dependencies tab lists all packages that this package depends on. The display shows the total dependency count and how many are direct dependencies. Each dependency is shown as a clickable card with its name and PURL, allowing you to drill into any dependency’s own provenance data.

Repository Tab

The Repository tab maps the package back to its upstream source code repository. This is a core feature of the Provenance Explorer — it answers the question "Where does this code actually come from?"

The mapping includes the source repository URL, a detection confidence score (0–100%), and the detection methods used (e.g., file_association, readme_github_search, tarball_url). The tab also lists all contributors to that repository, along with their commit counts.

Dependents Tab

The Dependents tab shows the reverse direction: which other packages depend on this one. This is critical for blast-radius analysis. If a vulnerability is found in a widely-used library, this tab tells you how many downstream packages could be affected.

Results are displayed in List or Grouped view, organized by package type and distribution. The total count of dependent packages is shown prominently at the top with a warning that changes to this package could affect downstream software.

Repository Analysis

The Repository Analysis page provides comprehensive intelligence about source code repositories. Enter a full repository URL (e.g., https://github.com/libarchive/libarchive.git) to retrieve contributor data, package associations, geographic distribution, and health metrics.

How to Search

  1. Navigate to Repositories in the left sidebar.
  2. Enter the full repository URL in the search field.
  3. Click Search.

Repository Overview

The repository header displays the repository name, description, advisory associations, and key statistics including star count, fork count, contributor count, and associated package count. Programming languages used in the repository are displayed as color-coded tags. Creation and last-updated dates are also shown.

Understanding Repository Tabs

Contributors Tab

Lists all contributors to the repository, showing their email addresses and commit counts. Each contributor is displayed with a numbered badge indicating their commit ranking. Click any contributor to navigate to their full Contributor Lookup profile.

Packages Tab

Shows all known packages that are built from this repository, across all ecosystems. Packages are grouped by type (apk, deb, rpm) and then by distribution. This answers the question: "What downstream packages are built from this source code?"

Geography Tab

The Geography tab provides a world map visualization showing where the repository’s contributors are located. Below the map, a detailed table breaks down contributor counts and percentages by country.

This tab is particularly valuable for national security analysts and CISOs who need to assess the geopolitical distribution of maintainers for critical software. It helps answer questions like: "How globally distributed is this project?" and "Are any maintainers located in regions of concern?"

Health Tab

The Health tab presents a comprehensive security and maintenance assessment of the repository. It includes the following categories:

  • OpenSSF Scorecard: An aggregate security score (0–10) from the Open Source Security Foundation, with individual check results for areas like branch protection, code review, CI tests, dependency updates, and more.
  • Activity Metrics: Last commit date, commit frequency (90/180/365 days), release cadence, issue close rate, PR merge rate, and whether the project is archived or deprecated.
  • Popularity: Stars, forks, watchers, dependent repo count, and active contributor count over the past 12 months.
  • Security Configuration: Whether the repo has a SECURITY.md file, security advisories, Dependabot alerts, and CI workflows.
  • Contributor Risk: Bus factor, single-maintainer risk flag, organization diversity among top contributors, new-maintainer flag, signed commit ratio, and count of contributors with breached credentials.
  • Code Hygiene: License, lockfile presence, .gitignore, repo size, and fork status.

For a complete understanding of all of our data please visit this article

Advisories

The Advisories page allows you to search for and investigate NetRise security advisories. Advisories identify contributors, packages, or repositories that are associated with known supply chain threats or concerns.

How to Search

  1. Navigate to Advisories in the left sidebar.
  2. Enter an advisory ID (e.g., NETR-2024-0001) in the search field.
  3. Click Search.

Understanding Advisory Results

An advisory result includes the advisory name, description, and reference URLs for further reading. The core of the advisory view is its blast-radius analysis, displayed as six summary cards:

Metric

Description

Direct Contributors

Contributors directly named in or associated with the advisory

Direct Packages

Packages directly affected by the advisory

Direct Repositories

Repositories directly affected by the advisory

Indirect Contributors

Contributors affected through transitive relationships

Indirect Packages

Packages affected through dependency chains

Indirect Repositories

Repositories affected through dependency chains

Below the summary cards, the advisory detail page shows expandable sections for Affected Contributors (with their email addresses and usernames), Affected Packages (with counts for directly and indirectly affected packages), and Affected Repositories (with counts for directly and indirectly affected repositories).

Note: Direct vs. Indirect  A "Direct" association means the entity is explicitly named in or linked to the advisory. An "Indirect" association means the entity is affected through a dependency relationship — for example, a package that depends on a directly affected package.

Confidence Scoring

Many responses from the Provenance API include an AttributionMetadata object containing a confidence score (0–100) and a list of methods. This section explains how those values are calculated.

How It Works

The system attributes qualities to entities (such as a location to a contributor, or a repository to a package) using multiple independent methods. Each method runs independently and may produce a different result. The scoring pipeline fuses these results into a normalized confidence distribution using a naive Bayes-style approach.

 

Real person here 👉