ECS follows a simple hierarchy pattern to organize data. The pattern is shown in the following diagram. In the Enterprise edition each level may have an unlimited number of members. The other levels might see individual limits.
However, the leaf of the hierarchy always is the component.This might either be something your developers have build or a component that was taken from any of the open source repositories. The component itself may consist of other components, ECS will resolve the complete dependency tree. But it will not go further. Licenses and vulnerabilities are associated with components.
Several components constitute a module. This in general will represent / equal a deployment artifact and therefor usually will be processed with one technology in one build, e.g. the frontend using angular, a backend module using java or C#. You match your scans on that level using API-keys for your scanners.
You also may add infrastructure modules at this level. Assuming you are using a tomcat runtime or an apache webserver, you can add these as so called infrastructure modules. See here for more information.
Several modules combine to a project. This might be a particular software solution or an area of application, such as a virtual appliance. On the project level typically decisions like licensing, usage and budget control are made. That is why we have several settings allowed on this level which then will automatically populate the module settings, such as white- and blacklists or the legal questionnaire. Reports typically are run on project level.
A Corporation equals a single legal entity. It may run several projects and may own a corporate wide black- and whitelist which propagates automatically on project and module level. Exemptions can be arranged, but will require additional confirmation.
An Enterprise may consist of several legal entities, respectively corporations, allowing access for more than one legal entity under one billing umbrella. Please contact sales for more details.