Logo Sonatype CLM Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Optimized Component Lifecycle Management with Sonatype CLM

3.6. Policy Elements

One of the more interesting pieces of Sonatype CLM Policy, and something we’ve only alluded to in a number of our guides, is policy elements. At this time there two specific policy elements we can work with:

  • Labels
  • License Threat Groups
  • Tags

These elements are unique in that they have both links to policy as well as general Sonatype CLM functionality. Let’s take a closer look at each one of these.

3.6.1. What is a Label?

We just learned all about creating policies. Constraints, conditions and even actions, all make a lot of sense, but what in the world could labels have to do with policy?

Well, labels are actually one of the more powerful features of Sonatype CLM. They should have a familiar look, since you’ve likely used other systems that employ a sort of tagging or labeling.

Labels are metadata. More specifically a label is metadata that is assigned to a component within the context of a particular application or organization. Labels can assist with identifying components you want to review, approve, or even avoid altogether. We call this label assignment.

When labels are assigned, this is an action that takes place in the application composition report. Before it can be assigned though, a label needs to exist for a particular organization or application.

As we learned in our section regarding Organizations vs. Applications, inheritance plays a big role in policy. The same thing is true for labels, in that if a label is created in an organization, any application attached to that organization will also have the label available for use when assigned. In fact, the system will prompt you to choose the scope (organization or application) a label should exist in when it is assigned.

3.6.2. Creating a Label

Now, assigning a label is an important action, but how do we build policy around this? That’s actually simple, we just add a condition, based on a specific label that you have created, being present. The one caveat, is that the label needs to exist within the application or the organization in which you are creating the condition.

  1. Log in to the Sonatype CLM Server (by default this is available at http://localhost:8070) using a user account with at least Owner-level permissions for the organization or application (a member of the Owner Group).
  2. Click on the Organizations (or Applications) link, and then click on the organization (or application) you want to add the label to.
  3. Click the Labels tab, and then the New Label button.
  4. Enter Architecture-Approved for the name in the input field with the value Enter Label Name. Note that the name can not contain any space characters.
  5. Add an optional description, and choose a color from the displayed samples by clicking on your choice.
  6. When everything is done you screen should look like Figure 3.8, “Creating a Label” and you can click the Save button to finish.
  7. To edit a label you can just click on it in the displayed list and will be taken back to the edit screen.
figs/web/clm-server-label-create.png

Figure 3.8. Creating a Label


Remember that applications inherit labels from the organization they are attached to and just like for policy development in general, it will help to plan ahead what sort of labels you are going to create and use.

3.6.3. Creating a Condition Based on a Label

For this example, let’s say we want to identify components that have been approved for usage by the software architects in the development team with a label "Architecture Approved." This approval is part of the development process. We always ensure a component has gone through an approval process for architectural suitability, and when approved, they receive an "Architecture Approved" label.

After creating a label in the desired organization or application as described in Section 3.6.2, “Creating a Label”, proceed to create the condition:

  1. Create a new policy with the name Architecture.
  2. Click on the Add Constraint button, and enter the name Approved.
  3. Click on the Add Condition button for the Approved constraint.
  4. In the condition area, add a new condition choosing Label from the condition selection drop down.
  5. For the operator use is not, and then in the next drop down find the Architecture-Approved label you just created.
  6. Configure the Actions as desired.
  7. When everything is done you screen should look like Figure 3.9, “Creating a Condition Evaluating a Label” and you can click the Save button to finish.
figs/web/clm-server-label-condition-create.png

Figure 3.9. Creating a Condition Evaluating a Label


The created condition will be violated by any component that does not have approval as determined by the association of the label Architecture-Approved to it.

Note

We walked you through creating a new constraint, you could certainly add this condition to an existing constraint.

3.6.4. What is a License Threat Group?

License threat groups, are simply groups of licenses, broken into categories of severity for the various types of licenses. They can help you to achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.

Their primary purpose is to serve as the data points for the License section of the application composition report. Moreover, they are a way to group risk, associated with licensing. By default, there are four license threat groups included with Sonatype CLM:

CopyLeft
Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called “viral.""
Non-Standard
Something out of the ordinary (e.g. If we ever meet, give me a beer license).
Weak Copy Left
Free software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use , selling copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc.
Liberal
These licenses allow you to do almost anything conceivable with the program and its source code, including distributing then, selling them, using the resultant software for any purpose, incorporating into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software.

Note

Consult with your legal department for EXACT definitions. Information provided above is from the following reference.

3.6.5. Creating a License Threat Group

An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat all the way up to 10). Unless you have specific legal recommendation / council, the default license threat groups will suffice, especially in the beginning. However, they can be edited. In fact, entirely new ones can be created altogether. Let’s use that premise, and create a new license threat group, Banned Licenses. When creating the license threat group, keep in mind that they will be inherited from the organization to all associated applications.

  1. Log in to the Sonatype CLM Server (by default this is available at http://localhost:8070) using a user account with at least Owner-level permissions for the organization or application (a member of the Owner Group).
  2. Click on the Organizations (or Applications) link, and then click on the organization (or application) you want to add the label in.
  3. Click the Licenses tab, and then the New License Threat Group button.
  4. Enter Banned Licenses for the name, and pick a threat level

  5. Add the following licenses from the Available Licenses to the Applied Licenses list by clicking on them in the list on the right

    1. AGPL-3.0
    2. AGPL
  6. When everything is done you screen should look like Figure 3.9, “Creating a Condition Evaluating a Label” and you can click the Save button to finish.
figs/web/clm-server-license-threat-group-create.png

Figure 3.10. Creating a License Threat Group


3.6.6. Creating a Condition Based on a License Threat Group

After we have created a license threat group as described in condition Section 3.6.5, “Creating a License Threat Group”, lets create a condition based on it.

  1. Create a new policy with the name Legal
  2. Change the name of the initial constraint to Banned License.
  3. Click on the Add Condition button for the Banned License constraint.
  4. Choose License Threat Group from the condition drop down, select is not from the operator drop down and then select Banned Licenses as the value.
  5. Configure the Actions as desired.
  6. When everything is done you screen should look like Figure 3.9, “Creating a Condition Evaluating a Label” and you can click the Save button to finish.
figs/web/clm-server-license-threat-group-condition-create.png

Figure 3.11. Creating a Condition Evaluating a License Threat Group


The created policy will be violated by any component that is licensed under the AGPL or AGPL-3.0 license.

3.6.7. What is a Tag?

In any given business, you could have hundreds, maybe even thousands of applications. Even if you are just getting started, it’s likely you have a handful of applications. However, as unique as applications can be, they tend to share some similarities.

For example, you might have applications that process or store sensitive information, maybe even personally identifiable information for your users. Since attacks are often aimed at these types of applications, you will definitely want to make sure your policies that identify high and critical threat security vulnerabilities are included during the evaluation of these types of applications.

Unfortunately, especially as the number of applications in your business increases, identifying an application by name may not be helpful. To address this, tags provide a way to quickly identify characteristics of an application.

Using specific text and color, tags can help group particular applications with similar attributes. While the tag can ultimately be anything you want, and attached to any application, you will want to take a much more thought-out approach, similar to what is recommended for labels.

As we will see later, in order to maximize the benefits tags can offer, you will want to take advantage of tag matching between policies and applications. For now though, let’s see how to create, apply, and delete tags.

scale-45

3.6.8. Creating, Editing, and Deleting Tags

Tags are created and deleted at the organization level and then applied individually for each application. Unlike other policy elements, tags cannot be created at the application level.

  1. First, log in to the Sonatype CLM Server using a user account with at least Owner-level permissions for the organization (a member of the Owner Group).
  2. Next, click on the Organizations link, and then click on the organization you want to create a tag in. The Organization Management area will be displayed.
  3. Now, click on the Tags tab. Any tags that have been created will be displayed. To add a new tag, click the New Tag button. You will be required to enter the tag name, as well as a description. You may also select a color, though no color will be the default. Once complete, click the Save button.
figs/web/sonatype-clm-server-tags-create.png

If you made a mistake and want to edit the tag, simply click on the tag body (anything but the x), and you can edit the tag information. However, if you want to permanently delete the tag, click on the x.

figs/web/sonatype-clm-server-tags.png

Note

Deleting any tag will ask for you to confirm, since that action can not be undone. If the tag is currently applied to an application you will be shown the names of all applications that would be affected before you confirm the deletion. You will not be able to delete a tag that has already been related to a policy, and will be shown the names of any related policies if you try. Should you still wish to delete the tag, you will have to disassociate it from any related policies first.

3.6.9. Applying a Tag

Depending on how your business uses tags, and establishes control within CLM, the people applying tags may be different from those creating them. It is important though to understand that while tags are provided to identify characteristics of an application, a more important usage is to provide a way for policy managers to create specific policies that consider those application characteristics. For this reason, when applying a tag, your application may be evaluated by a specific set of policies. This is a good thing, but it also makes the application of tags an act that requires careful consideration. To apply a tag to an application, follow the instructions below.

  1. First, log in to the Sonatype CLM Server using a user account with at least Owner-level permissions for the application (a member of the Owner Group).
  2. Next, click on the Application link, and then click on the application you want to apply the tag to. The Application Management area will be displayed.
  3. Now, click on Tags tab. There are two columns, one for available tags, as well as those that have already been applied. Simply click on the tag to move it from one column to the other. If there are a lot of tags, and you are having trouble locating a specific one, simply type in the filter the name of tag you would like to use.
scale-45

Tip

Mouse over a tag to see the full description.

3.6.10. Matching Policies to Specific Applications

By now, you have likely created tags, and perhaps even applied some to your applications. Those are great features, but the real power of tags comes when we match a policy to a specific set of applications.

Up to this point (before tags), an organization-level policy would apply to all applications. To address this, you could create a new organization, or develop specific policies for each application, but in both cases, that results in a lot of micromanagement. In contrast, tags provide an opportunity to create a policy and then pick unique groups of applications (based on their applied tags) the policy should be evaluated against.

Given this, it is important to think about the applications your business develops, as well as the types of policies you will use to evaluate your applications. Elements like the type of data, the exposure (public or private), as well as whether or not the application interfaces with the Internet, are a great place to start.

When you create your tags, make sure that it’s clear to users that will be using the tags. In other words, it shouldn’t be ambiguous as to the type of applications the tags represent. For example instead of creating the tag, "External," a more descriptive tag would be "Distributed." Some additional tag suggestions might be:

  • Sensitive Information
  • Personal Information

These are just suggestions of course, but you should get the key point. When adding a tag to an application, you can expect policies that have identified the same tag to be evaluated against your application.

Now, that’s quite a bit of discussion on the theory and proper way to utilize tags, let’s take a look at how to make the match happen.

To select the tag a policy will be evaluated against:

  1. Create a new policy, or edit an existing one.
  2. In the Application Tags area of the policy editor, choose the tags that represent the applications you want to evaluate the policy against. By default, no tags will be selected. This means the policy will apply to all application regardless of their tags.
  3. Finish creating or editing your policy and click the save button. From this point forward, the policy will be evaluated against applications based on the tags you selected. In addition, applications will only see the policies they are evaluated against.
scale-45

3.6.11. Viewing Tag-based Policies

Policies that have been set to match applications with specific tags are visible in the same area as all other policies. However, there is a slight difference between what is displayed at the organization level and the application level.

At the organization level
All policies for the organization will be displayed. Policies that have selected specific applications, based on a matching tags applied to those applications, will be indicated by a special icon.
At the application level

Only the policies that an application is evaluated against will be displayed in the Policy tab. This includes:

  • Policies created at the organization level, and set to match all applications.
  • Policies created at the organization level, and set to match specific tags currently applied to the application.
  • Policies created at the application level.

Tip

When viewing policies at the application level, be sure to look for the special tag icon figs/web/clm-server-policy-management-tag-icon.png, which indicates the application is evaluated against the policy given a tag (or tags) applied to the application.

3.6.12. Summary

It can be easy to forget about policy elements, and in most cases these should be reserved for more advanced users. For example, deciding what labels to use, and binding them to a specific process is very important in helping to ensure they aren’t overused. Equally important is creating tags that will provide an automatic evaluation of applications against policies with matching tags. In the case of license threat groups, you likely want to consult your legal team to make sure you remain compliant to parameters they have established. In fact, if you haven’t already they should be included in your policy development discussions.

As far as this section goes, here’s what you should have taken away.

  • Understanding policy elements (labels, license threat groups, and tags).
  • Create a label and a condition based on it.
  • Create a license threat group and a condition based on it.
  • Create tags at the organization level, and apply to applications.
  • Understand the impact of matching policies to applications using tags.