Documentation Nexus IQ Server 1.16

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM


Preface
1. How to Use This Book
2. Downloads
3. Sonatype CLM - Requirements
3.1. CLM Server
3.2. CLM Web Application
3.3. REST API Versioning
3.4. Command Line Scanner Requirements
3.5. Sonatype CLM for Eclipse Requirements
3.6. Sonatype CLM for Hudson / Jenkins Requirements
3.7. Sonatype CLM for Maven Requirements
3.8. Sonatype CLM for Nexus Pro Requirements
3.9. Sonatype CLM for SonarQube Requirements
4. Component Lifecycle Management
4.1. Increasing Component Usage and Open Source Components
4.2. Security Vulnerability and License Compliance Risks
4.3. Complicating Factors for CLM
4.4. Stages of CLM Adoption and Performance
4.5. The Four Requirements for True Component Lifecycle Management
4.6. Sonatype and Sonatype CLM
4.6.1. Who is Sonatype?
4.6.2. What is Sonatype CLM?
4.6.3. How does Sonatype CLM work?
4.6.4. Which component ecosystems does Sonatype CLM support?
4.7. Conclusion
5. Sonatype CLM - Server Setup
5.1. CLM Server Installation and Configuration
5.1.1. Starting CLM Server
5.1.2. License Installation
5.1.3. CLM Server Directories
5.1.4. Running the CLM Server as a Service
5.2. Configuration
5.2.1. Initial Configuration of CLM Server
5.2.2. Running the CLM Server Behind a HTTP Proxy Server
5.2.3. Setting the Base URL
5.2.4. Reverse Proxy Authentication
5.2.5. Appending a User Agent String
5.2.6. File Configuration
5.2.7. Email Configuration
5.2.8. Logging Configuration
5.2.9. HTTP Configuration
5.2.10. HTTPS/SSL
5.2.11. Anonymous Access
5.2.12. CSRF Protection
5.3. Backing Up the CLM Server
5.4. Upgrading the CLM Server
5.4.1. Upgrade Paths
Upgrading from Sonatype CLM 1.9x or Later
Upgrading from Sonatype CLM 1.8x
Upgrading from Sonatype CLM 1.7x and 1.6x::
Upgrading from Sonatype CLM 1.5x or Earlier
6. Sonatype CLM - Security Administration
6.1. User Management
6.1.1. Logging in to Sonatype CLM
6.1.2. Viewing Notifications
6.1.3. Changing the Admin Password
6.1.4. Creating a User
6.1.5. Editing and Deleting User Information
6.2. LDAP Integration
6.2.1. Configuring the LDAP Server Connection
6.2.2. LDAP Configuration Parameters
6.2.3. Mapping LDAP Users to Sonatype CLM
6.2.4. LDAP User Parameters
6.2.5. Mapping LDAP Groups to Sonatype CLM
6.2.6. LDAP Group Parameters
Static Groups
Dynamic Groups
6.2.7. Verifying LDAP Configuration
Test Connection
Check User and Group Mapping
Check Login
6.3. Role Management
6.3.1. Viewing Role and Permission Descriptions
6.3.2. Assigning Users to Roles
6.3.3. Creating Custom Roles
6.3.4. Excluding Groups from Search Results
7. Organization and Application Management
7.1. Hierarchy
7.2. Inheritance
7.3. Applications, Evaluations, and Reports
7.4. Creating an Organization
7.5. Creating an Application
7.6. Viewing Organizations and Applications
8. Sonatype CLM - Basic Policy Management
8.1. Risk and Organizational Intent
8.2. Basic Policy Anatomy
8.3. Advanced Anatomy of a Policy
8.4. Importing Policy
8.4.1. Sonatype Sample Policy Set
8.4.2. Importing a Policy to an Organization
8.4.3. Importing a Policy to an Application
8.5. Policy Creation
8.5.1. Step 1: Understand the Policy Intent
8.5.2. Step 2: Decide on a Descriptive Policy Name
8.5.3. Step 3: Choose an Appropriate Threat Level
8.5.4. Step 4: Choose the Application Matching Parameters
8.5.5. Step 5: Create Constraints with Conditions
8.5.6. Step 6: Set Policy Actions And Notifications
8.5.7. The Final Step: Avoiding Policy Micromanagement
8.6. Evaluating Applications
8.7. Reviewing Evaluation Results
8.8. Policy Monitoring
8.8.1. Setup Policy Monitoring for an Application
8.8.2. Configuring Notification Times
9. Sonatype CLM - Advanced Policy Management (Labels, License Threat Groups, and Tags)
9.1. Labels
9.1.1. Creating, Editing, and Deleting a Label
9.1.2. Creating a Condition Based on a Label
9.2. License Threat Groups
9.2.1. Creating, Editing, and Deleting a License Threat Group
9.2.2. Creating a Condition Based on a License Threat Group
9.2.3. Creating a Condition Based on an Unassigned License Threat Group
9.3. Tags
9.3.1. Creating, Editing, and Deleting Tags
9.3.2. Applying a Tag
9.3.3. Matching Policies to Specific Applications
9.3.4. Viewing Tag-based Policies
10. Sonatype CLM - Dashboard
10.1. Accessing the Dashboard
10.2. Viewing CLM Data in the Dashboard
10.2.1. Filters
10.2.2. Visual Overview
10.3. Highest Risk Violations
10.3.1. Newest
10.3.2. By Component
10.3.3. By Application
10.4. Viewing Component Details
11. Sonatype CLM - Report
11.1. Accessing an Application Composition Report
11.2. Reviewing a Report
11.2.1. Summary Tab
11.2.2. Policy Tab
11.2.3. Security Issues Tab
11.2.4. License Analysis Tab
11.3. Printing and Reevaluating the Report
11.4. The Component Information Panel (CIP)
11.5. Resolving Security Issues
11.5.1. Security Issues
11.5.2. The Component Information Panel (CIP)
11.5.3. Editing Vulnerability Status
11.5.4. Matching to Violations
11.6. License Analysis Tab
11.6.1. License Threat Group
11.6.2. License Analysis
11.6.3. The Component Information Panel (CIP)
11.6.4. Editing License Status and Information
11.7. Component Identification
11.7.1. Matching Components
11.7.2. Managing Proprietary Components
11.7.3. Claiming a Component
11.8. Label Overview
11.8.1. Where do labels begin?
11.8.2. Assigning a Label
11.9. Waivers
11.9.1. A Use Case for Waivers
11.9.2. Adding a Waiver
11.9.3. Viewing and Removing a Waiver
11.10. Policy Reevaluation
11.11. Sonatype CLM PDF Report
11.11.1. Creating the PDF
11.11.2. Reviewing the PDF
12. Sonatype CLM and Repository Management
13. Sonatype CLM for Nexus Pro
13.1. Repository Health Check (RHC) vs. Sonatype CLM
13.2. Connecting Nexus to CLM Server
13.3. Accessing CLM Component Information
13.4. The Component Information Panel (CIP)
13.5. Component Details (CLM)
13.6. Sonatype CLM for Nexus Staging
13.6.1. Staging Profile Configuration
13.6.2. Policy Actions for Staging
13.7. Policy Actions for Release Repositories
14. Sonatype CLM and Continuous Integration
15. Sonatype CLM for Bamboo
15.1. Install Sonatype CLM for Bamboo
15.2. Configure Sonatype CLM for Bamboo
15.3. Adding the Sonatype CLM Analysis Task
15.4. Reviewing CLM Policy Results
16. Sonatype CLM for Hudson and Jenkins
16.1. Installation
16.2. Global Configuration
16.3. Job Configuration
16.4. Inspecting Results
17. Sonatype CLM and IDEs
18. Sonatype CLM for Eclipse
18.1. Installing Sonatype CLM for Eclipse
18.2. Configuring Sonatype CLM for Eclipse
18.3. Using the Component Info View
18.4. Filtering the Component List
18.5. Searching for Component Usages
18.6. Inspecting Component Details
18.7. Migrating to Different Component Versions
19. Sonatype CLM for SonarQube
19.1. Installation
19.2. Configuration
19.3. Proxy Configuration
19.4. Select the CLM Application
19.5. Add and Configure the Sonatype CLM Widget
19.6. Accessing the Application Composition Report
20. Sonatype CLM for CLI
20.1. Downloading Sonatype CLM for CLI
20.2. Locating Your Application Identifier
20.3. Evaluating an Application
20.3.1. Additional Options
20.4. Example Evaluation
20.5. Using Sonatype CLM for CLI with a CI Server
21. Sonatype CLM for Maven
21.1. Evaluating Project Components with Sonatype CLM Server
21.1.1. Authentication
21.1.2. Simplifying Command Line Invocations
21.1.3. Skipping Executions
21.2. Creating a Component Index
21.2.1. Excluding Module Information Files in Continuous Integration Tools
21.3. Creating a Component Info Archive for Nexus Pro CLM Edition
21.4. Using Sonatype CLM for Maven with Other IDEs
21.4.1. Maven Plugin Setup
21.4.2. IntelliJ IDEA
21.4.3. NetBeans IDE
22. Sonatype CLM REST APIs
22.1. Component Search REST APIs (v1)
22.2. Component Information API (v1)
22.3. Application REST APIs (v1)
22.4. Violation REST API (v1)
22.5. Supported Component Identifiers
22.6. Component Search REST APIs (v2)
22.7. Component Details API (v2)
22.8. Component Evaluation REST APIs (v2)
22.9. Application REST APIs (v2)
22.10. Violation REST API (v2)
22.11. Report-related REST APIs (v2)
A. Copyright