Logo Sonatype CLM Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Optimized Component Lifecycle Management with Sonatype CLM

Table of Contents





Authors

Sonatype, Inc. Manfred Moser Jeff Wayman Bruce Mayhew Justin Young Kelly Robinson
Preface
1. Component Lifecycle Management
1.1. Introduction
1.2. Increasing Component Usage and Open Source Components
1.3. Security Vulnerability and License Compliance Risks
1.4. Complicating Factors for CLM
1.5. Stages of CLM adoption and performance
1.6. Requirements for CLM
1.7. Sonatype and Sonatype CLM
1.7.1. Who is Sonatype?
1.7.2. Sonatype CLM
1.8. Conclusion
2. Sonatype CLM Server
2.1. Introduction
2.2. Preparation and Installation
2.2.1. Hardware Prerequisites and Recommendations
2.2.2. Software Requirements
Operating System and Java Runtime Environment
Browser
2.2.3. Download
2.2.4. Installation
2.2.5. Starting CLM Server
2.2.6. License Installation
2.2.7. CLM Server Directories
2.2.8. Running CLM Server as a Service
2.2.9. Backup
2.2.10. Upgrading
2.3. Configuration
2.3.1. Initial Configuration of CLM Server
2.3.2. Running the CLM Server Behind a HTTP Proxy Server
2.3.3. Setting the Base URL
2.3.4. File Configuration
2.3.5. Email Configuration
2.3.6. Logging Configuration
2.3.7. HTTP Configuration
2.3.8. HTTPS/SSL
2.4. User Management
2.4.1. Logging in to Sonatype CLM
2.4.2. Changing the Admin Password
2.4.3. Creating a User
2.4.4. Editing and Deleting User Information
2.5. LDAP Integration
2.5.1. Configuring the LDAP Server Connection
2.5.2. LDAP Configuration Parameters
2.5.3. Mapping LDAP Users to Sonatype CLM
2.5.4. LDAP User Parameters
2.5.5. Mapping LDAP Groups to Sonatype CLM
2.5.6. LDAP Group Parameters
Static Groups
Dynamic Groups
2.5.7. Verifying LDAP Configuration
Test Connection
Check User and Group Mapping
Check Login
2.6. Role and Permission Management
2.6.1. Organization, Applications, and Inheritance
2.6.2. Roles and Permissions
2.6.3. Assigning Users to Standard Roles
2.6.4. Assigning Users to Global Roles
2.7. Conclusion
3. Sonatype CLM Policy Management
3.1. Introduction
3.2. What is a Policy?
3.2.1. Basic Policy Anatomy
3.2.2. Organizations, Applications and Inheritance
3.2.3. Summary
3.3. Organization and Application Management
3.3.1. Organizational Structure
3.3.2. Creating an Organization
3.3.3. The Application to Application Link
3.3.4. Creating an Application
3.3.5. Organization, Application, and Inheritance
3.3.6. The Power of Inheritance
3.3.7. Avoiding Policy Micromanagement
3.3.8. Permissions and Roles
3.3.9. Summary
3.4. Policy Development
3.4.1. Advanced Anatomy of a Policy
3.4.2. Risk and Organizational Intent
3.4.3. Summary
3.5. Policy Management
3.5.1. Step 1: Understand the Policy Intent
3.5.2. Step 2: Decide on a Descriptive Policy Name
3.5.3. Step 3: Choose an Appropriate Threat Level
3.5.4. Step 4: Choose the Application Matching Parameters
3.5.5. Step 5: Create Constraints with Conditions
3.5.6. Step 6: Set Policy Actions
3.5.7. Summary
3.6. Policy Elements
3.6.1. What is a Label?
3.6.2. Creating a Label
3.6.3. Creating a Condition Based on a Label
3.6.4. What is a License Threat Group?
3.6.5. Creating a License Threat Group
3.6.6. Creating a Condition Based on a License Threat Group
3.6.7. What is a Tag?
3.6.8. Creating, Editing, and Deleting Tags
3.6.9. Applying a Tag
3.6.10. Matching Policies to Specific Applications
3.6.11. Viewing Tag-based Policies
3.6.12. Summary
3.7. Manual Application Evaluation
3.7.1. Evaluating via the CLM Server
3.7.2. Evaluating via the Stand-alone Scanner
Finding the Application ID
Using the Stand-alone Scanner
Additional Options
Stand-alone Scanner Example
3.7.3. Report Generation
3.7.4. Summary
3.8. Reviewing Evaluation Results
3.8.1. Accessing the Application Composition Report
3.8.2. Reviewing the Report
3.8.3. Summary
3.9. Importing Policies
3.9.1. Sonatype Example Policies
3.9.2. Importing a Policy to an Organization
3.9.3. Importing a Policy to an Application
3.9.4. Summary
3.10. Policy Monitoring
3.10.1. Setup Policy Monitoring for an Application
3.10.2. Configuring Notification Times
3.10.3. Summary
3.11. Conclusion
4. Reports in Sonatype CLM
4.1. Introduction
4.2. Application Composition Report Overview
4.2.1. Accessing an Application Composition Report
4.2.2. Reviewing a Report
4.2.3. Summary Tab
4.2.4. Policy Tab
4.2.5. Security Issues Tab
4.2.6. License Analysis Tab
4.2.7. Printing and Reevaluating the Report
4.2.8. The Component Information Panel (CIP)
4.2.9. Summary
4.3. Resolving Security Issues
4.3.1. Security Issues
4.3.2. The Component Information Panel (CIP)
4.3.3. Editing Vulnerability Status
4.3.4. Matching to Violations
4.3.5. Summary
4.4. License Analysis Tab
4.4.1. License Threat Group
4.4.2. License Analysis
4.4.3. The Component Information Panel (CIP)
4.4.4. Editing License Status and Information
4.4.5. Summary
4.5. Component Identification
4.5.1. Matching Components
4.5.2. Managing Proprietary Components
4.5.3. Claiming a Component
4.5.4. Summary
4.6. Label Overview
4.6.1. Where do labels begin?
4.6.2. Assigning a Label
4.6.3. Summary
4.7. Waivers
4.7.1. A Use Case for Waivers
4.7.2. Adding a Waiver
4.7.3. Viewing and Removing a Waiver
4.7.4. Summary
4.8. Policy Reevaluation
4.8.1. Summary
4.9. Sonatype CLM PDF Report
4.9.1. Creating the PDF
4.9.2. Reviewing the PDF
4.9.3. Summary
4.10. Sonatype CLM Trending Report
4.10.1. Accessing the Sonatype CLM Trending Report
4.10.2. Running the Sonatype CLM Trending Report
4.10.3. Reviewing the Sonatype CLM Trending Report
4.10.4. Understanding Risk
4.11. Conclusion
5. Sonatype CLM and Continuous Integration
5.1. What is Continuous Integration (CI)?
5.2. Sonatype CLM and Continuous Integration
5.3. Sonatype CLM for CI
5.3.1. Introduction
5.3.2. Installation
5.3.3. Global Configuration
5.3.4. Job Configuration
5.3.5. Inspecting Results
5.4. Sonatype CLM Command Line Scanner
5.4.1. Introduction
5.4.2. Downloading the Scanner
5.4.3. Locating Your Application Identifier
5.4.4. Setting Up the Scanner in Your CI
5.4.5. Summary
5.5. Sonatype CLM Maven Plugin
5.5.1. CLM Maven Plugin Introduction
5.5.2. Creating a Component Index for Sonatype CLM for CI
5.5.3. Creating a Component Info Archive for Nexus Pro CLM Edition
5.5.4. Evaluating Project Components with Sonatype CLM Server
5.5.5. Simplifying Command Line Invocations
5.5.6. Skipping CLM Maven Plugin Executions
5.6. Conclusion
6. Sonatype CLM for IDE
6.1. Introduction
6.2. Installing Sonatype CLM for Eclipse
6.3. Configuring Sonatype CLM for Eclipse
6.4. Using the Component Info View
6.4.1. Overview
6.4.2. Filtering the Component List
6.4.3. Searching for Component Usages
6.4.4. Inspecting Component Details
6.5. Migrating to Different Component Versions
6.6. Conclusion
7. Sonatype CLM for Repository Managers
7.1. Introduction
7.2. Nexus Pro - Sonatype CLM Edition
7.3. Nexus Pro and Sonatype CLM Integration
7.3.1. Introduction
7.3.2. Repository Health Check (RHC) vs. Sonatype CLM
7.3.3. Connecting Nexus to CLM Server
7.3.4. Configuring the CLM Server
7.3.5. Accessing CLM Component Information
7.3.6. The Component Information Panel (CIP)
7.3.7. Component Details (CLM)
7.4. Using CLM for Staging
7.4.1. Introduction
7.4.2. Staging Profile Configuration
7.4.3. Policy Actions
7.4.4. Release Repository Actions
7.5. Using CLM for Staging
7.5.1. Introduction
7.5.2. Creating a Component Info Archive for Nexus Pro CLM Edition
7.5.3. Skipping CLM Maven Plugin Executions
7.6. Conclusion
A. Copyright

List of Figures

2.1. Installing a Product License on Sonatype CLM Server
2.2. Sonatype CLM Server End User License Agreement Window
2.3. Installed Product License on Sonatype CLM Server
2.4. Login
2.5. Create User
2.6. Edit User
2.7. Sample LDAP Server Configuration
2.8. User Mapping
2.9. Group Mapping
2.10. Testing LDAP Server
2.11. Checking User Mapping
2.12. Checking User Login
2.13. Inheritance and User Roles Overview
2.14. Example of Roles
2.15. Assigning Users to Standard Roles
2.16. Assigning Users to Global Roles
3.1. Creating an Organization
3.2. Organization Overview Screen
3.3. Creating an Application
3.4. Application Management Area
3.5. Editing a Policy and its Attributes
3.6. Policy Creation and Editing Screen
3.7. Policy Threat Level
3.8. Creating a Label
3.9. Creating a Condition Evaluating a Label
3.10. Creating a License Threat Group
3.11. Creating a Condition Evaluating a License Threat Group
3.12. Evaluate an Application
3.13. Application Overview with Application Identifier
3.14. Violations Report after Scan
3.15. Reporting Area
3.16. Application Area
3.17. Summary Tab of an Application Composition Report
3.18. Policy Tab of an Application Composition Report
3.19. Security Issues Tab of an Application Composition Report
3.20. License Analysis Tab of an Application Composition Report
3.21. Component Information Panel CIP for a Specific Component
3.22. Policy Tab for a Specific Component Displayed on the Component Information Panel
3.23. Organization View with Import Button
3.24. Import Policy Dialog
3.25. Example of a Policy Monitoring Email
3.26. Access Application Management Area
3.27. Selecting a Sonatype CLM Stage to Monitor
3.28. Adding Email Recipient
3.29. Sample Email Notification
4.1. Summary Tab of the Application Composition Report
4.2. Reporting Area
4.3. Application Area
4.4. The Four Tabs
4.5. Security Issues Summary
4.6. License Analysis Summary
4.7. Policy Tab
4.8. Security Issues Tab
4.9. License Analysis Tab
4.10. Application Composition Report Buttons For Printing and Reevaluation
4.11. Component Information Panel CIP Example
4.12. CIP, Policy Section
4.13. CIP, Similar Section
4.14. CIP, Occurrences Section
4.15. CIP, Licenses Section
4.16. CIP, Edit Vulnerabilities Section
4.17. CIP, Labels Section
4.18. CIP, Claim Component
4.19. CIP, Audit
4.20. Security Issues Tab
4.21. Component Information Panel (CIP)
4.22. Editing Vulnerabilities via CIP
4.23. Editing Multiple Vulnerabilities
4.24. Example of Component with Security Issue, but No Policy Violation
4.25. License Analysis Tab
4.26. The Default License Threat Groups
4.27. Component Information Panel (CIP)
4.28. Editing a Single License, Using Select Option
4.29. Unknown Component
4.30. Filter and Matching Options
4.31. Proprietary Component
4.32. Proprietary Packages Configuration via the Sonatype CLM Server
4.33. Claim a Component
4.34. Claimed Component Indicator
4.35. Labels at the CLM Server Level
4.36. Assigning a Label
4.37. Waiver Visualization on Policy Tab
4.38. Waiver Button
4.39. Options to Apply Waiver to the Application or the Entire Organization
4.40. View and Remove Waivers
4.41. Application Composition Report Buttons For Printing and Reevaluation
4.42. Summary Section of a Application Composition Report in PDF Format
4.43. Policy Violations Section of a Application Composition Report in PDF Format
4.44. Security Issues Section of a Application Composition Report in PDF Format
4.45. License Analysis Section of a Application Composition Report in PDF Format
4.46. Components Section of a Application Composition Report in PDF Format
4.47. Trending Report Overview
4.48. Running the Trending Report
4.49. Policy and Application Summary
4.50. Threat Levels
4.51. Highest Risk Applications
4.52. Violation Summary by Policy Type
4.53. Violation Summary by Policy
4.54. Top Violators
4.55. Partial Matches
5.1. Jenkins Global Configuration Menu
5.2. Global Configuration of Sonatype CLM for CI in Jenkins
5.3. Sonatype CLM Build Scan Configuration for a Build Step
5.4. Post-build Action Configuration as Example for a Sonatype CLM for CI Configuration
5.5. Job Overview Page with Links to the Application Composition Report and Application Management
5.6. Left Menu with Link to the Application Composition Report
5.7. Application Overview and Application Identifier
6.1. Eclipse Dialog to Install New Software with Sonatype CLM for Eclipse
6.2. Activating the Component Info View of Sonatype CLM for Eclipse
6.3. Warning after initial installation
6.4. Sonatype CLM for Eclipse Configuration Dialog
6.5. Example Component Info View
6.6. Details for a Component in the Component Info View
6.7. Properties of a Component for a Version Range
6.8. Filter Dialog for the Component Info View
6.9. Example Component Details Display
6.10. Migrating to a Newer Component Version
6.11. Applying a Dependency Version Upgrade
6.12. Selecting Dependency Version or Property Upgrade
6.13. Applying a Property Upgrade
7.1. The Central Role of A Repository Manager in Your Infrastructure
7.2. CLM configuration tab in Nexus
7.3. Typical Search Results in Nexus Pro
7.4. Nexus Search Showing All Versions
7.5. Accessing the Component Info Tab
7.6. Component Information Panel
7.7. Component Information Panel Example
7.8. CIP Text
7.9. CIP Graph
7.10. View Details Button
7.11. View Details
7.12. Staging Profile with a CLM Application Configured
7.13. Staging and Release Configuration for a Policy in the CLM Server
7.14. Staging Repository Activity with a CLM Evaluation Failure and Details