Documentation Nexus IQ Server 1.16

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

4.4. Stages of CLM Adoption and Performance

When endeavoring to initially implement, and subsequently establish, CLM as an ongoing process, a number of stages and actions are commonly required:

Integrate Sonatype CLM Sample Policy
What can tend to be the most difficult part to new users of Sonatype CLM is something that is developed outside the application, policies. Policies are a set of rules that you expect a component to meet as it relates to a particular application. These rules should include the level of risk you are willing to accept. Given this, policies starts as a statement of what you do and do not desire to be included in your applications. This is something that is dynamic though. Meaning, that over time your policies will change and evolve to adapt to your business. So, instead of trying to determine that all upfront, make your first stage on of seeking out the sample policies we’ve provided to get you started.
Improve Component Selection
With policies created (or hopefully the sample policies implemented), it can be enticing to begin calling a full stop on development when something negative is found. While that is an approach, it’s not the recommended path. Instead, start by only implementing the developer set of CLM tools. This will allow you to expose your development teams to the information that Sonatype CLM has. When they encounter components that would violate a policy, it will be apparent. They will also be able to easily select alternatives, by quickly finding the best version. Development teams want to do the best job they can, and this stage puts them first and foremost in improving your applications, they way it should be.
Establish Component Inventory and Governance

The component selection phase allowed the development team to make better choices for components they use. Now that they are familiar with the type of information the Sonatype CLM provides, it is time to start tracking the inventory and approval of components used in applications that make up the enterprise.

Sonatype CLM provides tools to integrate into the build release management systems to validate and ensure the components in use are Sonatype CLM policy approved components. Governance sets the expectations of what components will be approved and allows for starting the dialog, with the Development teams, to provide business justification for why a risky component should be allowed.

Monitor Component Usage
At this point, you will also need to make sure security and licensing policies have been established, and are continually reviewed and updated. This works most effectively if carried out during your ongoing development efforts, as well as for any components already in production. Ultimately, this will allow you to both preemptively address any issues, or react to any that are newly discovered. Remember to evaluate your applications often, and at major milestones during development (e.g. during builds and when staging a release). In this final stage, you should begin to consider putting gates, which Sonatype CLM provides, making sure a balance between ongoing fluid development and releasing software with unwanted components is achieved.