Documentation Nexus IQ Server 1.19

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

7.1. Risk and Organizational Intent

To establish a better understanding of risk within a paradigm of component management, we need to identify the various avenues of risk a component can have. The most common are security, licensing and architectural considerations.

Of course, we shouldn’t limit our thinking to these three alone, and in the long term you will define those specific to your organization. However, they will serve us well to get started.

When creating policies, we need to consider what risk we want reported and how we want it reported. Take a look at these very simple example policies, one each for licensing, security, and architecture. These are fairly common, and may be something you have in your own organization, even if you haven’t even committed to them with pen and paper.

Licensing
  • Don’t allow distributed code to have GPL
  • Only allow GPL that has a Commercial license
Security
  • Don’t allow components with a CVSS score > 7
Architecture
  • Don’t allow components that are older than 5 years
  • Don’t allow Struts version 2.3.15.1

The above policies represent an organizational intent to not allow GPL highly insecure components. It further qualifies that old components and a specific version of struts are not to be used. In this way, our three policies are actually working together to form and overall policy approach.

As you move on to create your own policies, it becomes very important to think about how policies can build upon each other. In many ways this is a holistic approach, something that rules simply can’t do.