Optimized Component Lifecycle Management with Sonatype CLM

3.9. Importing Policies

Setting up policies can be quite complex and labor intensive. To make the process easier and give you a head start we have created some sample policies and provide an import feature.

We actually recommend you don’t begin using Sonatype CLM by creating a bunch of policies right out of the gate. Instead, we’ve created a set of policies, which include other policy elements such as labels and license threat groups, that you can import into your Sonatype CLM installation.

Eventually, and there is a very short time between now and eventually, you will need to create, or at least modify, policies. For now, we’ll want to focus on populating your organizations and applications with policies provided by Sonatype.

3.9.1. Sonatype Example Policies

The easiest way to establish policies for your applications is to use one of the policies packages provided by Sonatype. While these are not meant to be a perfect match for every business, they have been created with our extensive experience working with customers and developing policy for our own internal practices.

The policy packages can be downloaded here:

Note

The import files are simple JSON files and are only compatible with the latest version of the Sonatype CLM Server. Please review the Archives to access Downloads for your version of Sonatype CLM.

Alternatively you can find them in the documentation archive in the resources folder.

Let’s take a look at the various policies available.

Audit Policy Package
This audit policy package is an example of managing components for security, licensing, and architectural issues. It also introduces the detection of unknown and patched components used in building your applications. The audit policy package can be used to gather information about the components used to build your applications without warnings and failures occurring in the developer, continuous build, or Nexus environments. This is the perfect policy package to use in order to gather information and understand how policy management will work for your environment, without potentially distracting the people who are building and delivering your applications.

Note

This policy package includes several preset tags. The tags have been used in the Application Matching area for several of the included policies. Policies using the tags will be indicated by a special tag icon. In order to utilize the policies, you must have applied the corresponding tag to your application(s). For more information on tags, please see the Policy Elements section of our Policy Management Guide.

Enforce Policy Package
The enforcement policy package includes the same set of policies as the audit policy package, with the addition of enforcement actions. It also includes suggested enforcement actions based on the severity of issues being detected. If you plan to use the policy package, policy notification actions should be added to notify interested parties of policy violations. The notifications will not overwhelm the inbox as the system tracks which notifications have been sent and will not send duplicate notifications. If you are looking for a good starting point to ensure the components being used in your applications meet the defined policy before being released, you will want to use this policy package.

Note

This policy package includes several preset tags. The tags have been used in the Application Matching area for several of the included policies. Policies using the tags will be indicate by a special tag icon. In order to utilize the policies, you must have applied the corresponding tag to your application(s). For more information on tags, please see the Policy Elements section of our Policy Management Guide.

Note

This policy package includes three preset email addresses for notifications. You will want to open the JSON file and find and replace the following addresses before importing (ProjectLead@changeme.sonatype.com, LicenseTeam@changeme.sonatype.com, SecurityTeam@changeme.sonatype.com). This can be edited with in Sonatype CLM, but will be a more manual process.

3.9.2. Importing a Policy to an Organization

Once you have acquired a policy file to import, you can follow these steps:

  1. Log into your Sonatype CLM server with a user account that has proper permissions to import policy for a specific organization (at least a member of the owner group for the organization would be required).
  2. Next, click the Organizational Design icon figs/web/clm-server-organizational-design-icon.png to access the Organizational Design area.
  3. Click on Organizations in the left menu, and then click the organization you wish to import the policy to.
  4. Click the Import button in the top right corner of the organization view displayed in Figure 3.23, “Organization View with Import Button”.
  5. Click the Choose File button in the Import Policy dialog displayed in Figure 3.24, “Import Policy Dialog” and select the policy JSON file in the file browser.
  6. Click the Import button in the Import Policy dialog.
  7. Confirm that the list of policies contains the imported policies.
figs/web/clm-server-org-policy-import.png

Figure 3.23. Organization View with Import Button


If you are importing to an organization, that already has some policies, labels, license threat groups, and/or tags set up, consider the following rules:

  • Existing policies will be deleted during the import procedure.
  • Importing policies also includes an import of associated policy elements (labels, license threat groups, and tags). The following logic will be used for Policy Elements:

    • Labels - the CLM server attempts to match labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing labels, while preserving any triage effort already done to apply these labels to components. If your import contains labels that aren’t already present in the system, they will be created.
    • License Threat Groups - the CLM server will delete all existing license threat groups, and then import the new ones.
    • Tags - the CLM Server attempts to match tags against existing ones in a case-insensitive manner. This allows for updating the description or color of existing tags, while preserving any current matching of tags between policies and applications.
figs/web/clm-server-policy-import-dialog.png

Figure 3.24. Import Policy Dialog


3.9.3. Importing a Policy to an Application

An application inherits policies from the organization. However it can be useful to have additional policies for fine grained control.

  1. Log into your Sonatype CLM server with a user account with an Administrator role or as an Owner of the application you wish to import policy to.
  2. Next, click the Organizational Design icon figs/web/clm-server-organizational-design-icon.png to access the Organizational Design area.
  3. Two columns will be displayed on the left. Click on Applications, and then click the application you chose to import the policy to.
  4. Click the Import button in the top right corner of the application view, which is identical to the organization view displayed in Figure 3.23, “Organization View with Import Button”.
  5. Click the Choose File button in the Import Policy dialog displayed in Figure 3.24, “Import Policy Dialog” and select the policy JSON file in the file browser.
  6. Click the Import button in the Import Policy dialog.
  7. Confirm that the list of policies contains the imported policies.

The policy information will be imported, and the following rules will be applied:

  • Duplication of organization policies is invalid, so you will not be able to import the same policy file into an organization and then into an application associated to it.
  • When a policy is imported, any existing application policies will be deleted and replaced with the imported configuration.
  • For label imports, the same logic as during imports at the organization level described in Section 3.9.2, “Importing a Policy to an Organization” applies.
  • Attempting to import policies that contain tags will cause the entire import to fail.

3.9.4. Summary

If you are having trouble coming up with your own, custom policies, importing any of our sample policies can be a great way to get started. While this may not be an exact fit, in most situations it provides a good baseline for improving the health of your applications. Better yet, if you want to modify the policies after import, you can do that as well.