Documentation Nexus IQ Server 1.20

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

7.2. Getting Started with Policies

To get started with policies in IQ Server, it is strongly recommended that you download and import the Sample Policy Set into an organization, described in the section below. Creating policies from scratch can be a complex and labor intensive process, and the Sample Policy Set will give you a head start.

To begin, there are several fundamental questions to ask yourself about risk and the components you use:

  • What types of risks do you want to know about: security vulnerabilities, licensing problems, quality issues (like age or popularity), or something else?
  • At what stage in the development lifecycle do you want to know about those risks?
  • How severe do you think those risks are?
  • What actions do you want to take? Receive a warning? Stop a build?
  • Who should be notified of those risks? Particular individuals or whole groups?
  • Do you want to constantly monitor inventoried components for new risk?
  • How should the policies be applied in the system hierarchy? Globally, at the root organization level? More narrowly, at the organization level? Or even more narrowly, at the application level?

7.2.1. Downloading the Sample Policy Set

You can download the sample policy set into an organization from here:

Sonatype-Sample-Policy-Set.json

The sample set contains policies for detecting and managing security, licensing, architectural, and popularity issues and includes some advanced policy features like application categories, component labels, and license threat groups. This policy set can help you gather information about the components used to build applications (including unknown and patched components), and understand how policy management will work for your environment.

Once the Sample Policy Set is downloaded, you can import it by following the instructions in the next section.

[Tip]

The Sonatype Sample Policy set is designed for use at the organization level. If you try to import the sample set into an application, you will receive an error message.

7.2.2. Importing Policies

After you acquire a policy file (in a .json format) such as the Sample Policy Set, follow these steps to import it into IQ Server.

  1. Log into IQ Server using an account that has permission to import policies into a specific organization or application (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization or application.
  2. Click the Manage Applications and Organizations icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  3. In the sidebar, click the organization (or application) into which you want to import the policy.
  4. Click the Actions menu and select Import Policies. The Import Policy dialog is displayed as shown in the figure below.
  5. Click the Choose File button and select the policy .json file in the file browser.
  6. Click the Import button.
figs/web/clm-server-policy-import-dialog.png

Figure 7.1. Import Policy Dialog


Rules for Importing Policies

If you want to import policies into an organization or application with existing policies (or application categories, component labels, and/or license threat groups), you should consider the following rules:

Importing Policies into an Organization
  • Existing policies will be deleted during the import procedure.
  • Importing policies also includes application categories, component labels, and license threat groups for which the following logic is used:

    • Application Categories - IQ Server attempts to match application categories against existing ones in a case-insensitive manner. This allows for updating the description or color of existing application categories, while preserving any current matching of categories between policies and applications.
    • Component labels - IQ Server attempts to match component labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing component labels, while preserving any triage effort already done to apply these labels to components. If your import contains component labels that aren’t already present in the system, they will be created.
    • License Threat Groups - IQ Server will delete all existing license threat groups, and then import the new ones.
Importing Policies into an Application
  • Duplication of organization policies is not allowed.
  • When a policy is imported, any existing application policies are deleted and replaced with the imported one.
  • For importing component labels, the same logic applies as at the organization level. That is, IQ Server attempts to match component labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing component labels, while preserving any triage effort already done to apply these labels to components. If your import contains component labels that aren’t already present in the system, they will be created.
  • Attempting to import policies that contain application categories will cause the entire import to fail.