The Sonatype IQ Server requires that each component considered "matched" have a GAV recognized by the Sonatype IQ Server. These matches can be exact or similar. When a component has no GAV, it is considered "unknown" to the Sonatype IQ Server. This is important, because you should know every component that exists in your applications.
However, a situation arises where components are identified as proprietary (based on your proprietary component configuration), yet still remain unknown. This is because they haven’t been given a GAV, something the Sonatype IQ Server needs to truly consider a component "matched".
While some organizations choose to do so, it is not necessary for you to claim every component. This can be handled by policy. If you are using the Sonatype reference polices, it’s already included for you in the "Unknown" policy.
What allows proprietary components to remain "unknown", but pass this policy without violation is the second condition:
"Proprietary" "is false".
In other words, if the component is NOT proprietary, and is also unknown, a violation will occur.
You can add the same option to any policy. You just need to make sure a constraint has added the proprietary condition and set to match all conditions.