Documentation Nexus IQ Server 1.16

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

11.11. Sonatype CLM PDF Report

In some implementations of Sonatype CLM, not everyone will have access to the CLM Server or any of the integrated enforcement points, and in turn, any of the associated reports. However, certain individuals or teams would likely still benefit from the information the CLM Report provides. Even if that’s not your particular situation, you may reach a point where you would like to produce an archive of a report for historical and audit purposes. Given this need, every report you produce with Sonatype CLM can be converted into a PDF.

Though the information presented in both the web application and the PDF are nearly identical, there are a few difference, mainly formed out of the contrasting visual and layout capabilities of a web application versus PDF. Below, we’ll discuss how to create this PDF version as well as highlight some of the differences between the two.

11.11.1. Creating the PDF

If you’ve been working with Sonatype CLM for a while, you might have started to notice a set of blue icons in the top right of every report. While the first icon is related to reevaluating the report, the button onm the right allows you to create a PDF version of the report. Simply, click on this button figs/web/app-comp-report-pdf-button-icon.png and Sonatype CLM will prompt your browser to download a PDF version of the report.

[Note]

The report filename will be unique each time you use the button. However, in general the report will include the job name, build number, and the timestamp associated with the results. For example, clm-0-20131017-140140.pdf

11.11.2. Reviewing the PDF

The information provided by the PDF is identical to information that is provided within the application composition report in the application user interface. This includes the Summary, Policy, Security Issues, and License Analysis tabs. Within the PDF, the order of information is presented top to bottom, following the logic of the report tabs from left to right. With the exception of the first page, which provides the Summary, each section has a label to indicate the corresponding tab of the Application Composition Report:

Policy Violations
displays a list of all policy violations, ordered by threat level, for each component.
Security Issues
displays a list of all security issues, ordered by SV score, for each component.
License Analysis
displays a list of components, ordered by threat level of the associated license threat group for the license(s) for the component.
Components
lists all components identified during the scan, as well as a summary of the data provided in the other tabs.

Summary. The summary section is identical to the HTML version of the report and visible in Figure 11.43, “Summary Section of a Application Composition Report in PDF Format”

figs/web/app-comp-report-pdf-summary.png

Figure 11.43. Summary Section of a Application Composition Report in PDF Format


Policy Violations. The Policy Violations section as visible in Figure 11.44, “Policy Violations Section of a Application Composition Report in PDF Format” displays the details for all scanned components. This matches the data displayed in the Policy tab of the Component Information Panel (CIP). It should be noted, that depending on the number of violations in your application, this section could be very long.

figs/web/app-comp-report-pdf-policy-violations.png

Figure 11.44. Policy Violations Section of a Application Composition Report in PDF Format


Security Issues. The Security Issues section displays a breakdown of all security issues found in the scan of the application, matching what is displayed in the HTML version of the report. An example is available in Figure 11.45, “Security Issues Section of a Application Composition Report in PDF Format”

figs/web/app-comp-report-pdf-security-issues.png

Figure 11.45. Security Issues Section of a Application Composition Report in PDF Format


License Analysis. The License Analysis section displays a breakdown of all license issues found in the scan of the application, matching what is displayed in the HTML version of the report. It should be noted that depending on your license threat groups, and license assignments, this section of the report could be very long. A short example is displayed in Figure 11.46, “License Analysis Section of a Application Composition Report in PDF Format”.

figs/web/app-comp-report-pdf-license-analysis.png

Figure 11.46. License Analysis Section of a Application Composition Report in PDF Format


Components. As mentioned above, this section brings together information from all the others. It displays the highest security issue identified (and the associated CVS Score), any declared and/or observed licenses (and the highest threat level of the associated), the match state, age, and the policy violation counts for each threat level band (red, orange, yellow, and blue) for each component. An example is displayed in Figure 11.47, “Components Section of a Application Composition Report in PDF Format”. In most cases this section can be used as a detailed bill of materials.

figs/web/app-comp-report-pdf-components.png

Figure 11.47. Components Section of a Application Composition Report in PDF Format


[Note]

In some cases a URL for the project is provided. This is indicated by an information icon figs/web/app-comp-report-pdf-info-icon.png.