Logo Sonatype CLM Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Optimized Component Lifecycle Management with Sonatype CLM

3.5. Policy Management

So you are ready to create your policy in the Sonatype CLM server. Great! If you have reached this point, it is important to be sure you have everything in place before you begin creating your own custom policies:

  • Organizations and applications are set up as desired in the Sonatype CLM server
  • Users have been assigned to these organizations and applications with the proper roles to fulfill your security requirements
  • You have determined the risks that apply to your organizational intent for the applications

If you haven’t done so, it’s also a good idea to write out the policies you want to create. While you will find the actual creation process is pretty easy, the more thought you put into your policies and the structure how the are tied together, the more well received they will be.

OK, you’ve been waiting long enough though, let’s start creating our very own policies, and we’ll do that next.

Note

In the instructions below, we’ve highlighted creating a policy for an organization. However, creating a policy for an application is almost identical with the only difference being that policies at the application level cannot have a tag applied to them.

3.5.1. Step 1: Understand the Policy Intent

So, let’s build on the third item we mentioned above, and first think about the intent of the policy we are going to create. Here are some question to consider:

  • Is this policy for all applications, or should it only be matched against certain ones?
  • What rules do we want to create, or in other words, what things do we not want in our applications, or this specific set of applications?
  • How do we want to react when violations occur?

These questions are really just the start, but in short you should ask what applications, what causes a violation, and what action should be taken. For our example policy, we want to focus on architecture aspects, with key areas being Age and Popularity of our components.

3.5.2. Step 2: Decide on a Descriptive Policy Name

Since architecture is our focus we are going to use it as part of the name for our policy. In addition we are going to add Age and Popularity to the name to be more specific. This will help us later when we start creating additional architecture related policies. Lets go ahead and create this policy:

  1. Log into the Sonatype CLM Server (by default this is available at http://localhost:8070) using a user account with Owner-level permissions for the organization (a member of the Organization’s Owner Group).
  2. Next, click the Organizational Design icon figs/web/clm-server-organizational-design-icon.png to access the Organizational Design area.
  3. In the menu on the left, click on Organizations, and then click the organization you want to add a policy to.
  4. To create a new policy, click the New Policy button. You should now see the policy editing screen (as displayed in Figure 3.6, “Policy Creation and Editing Screen”).
  5. The policy name input field should have focus and contain Enter Policy Name.
  6. Enter the new policy name by typing Architecture Age and Popularity
figs/web/clm-server-policy-edit.png

Figure 3.6. Policy Creation and Editing Screen


3.5.3. Step 3: Choose an Appropriate Threat Level

Threat level is one of the easiest concepts we’ll cover in this guide, yet it has the greatest chance to cause huge problems. At it’s core, this is simply a value for severity your business associates with a given policy. These values range from 1 to 10, each corresponding to range of severity, and a specific color:

Table 3.1. Threat Levels

High

Red

8-10

Medium

Orange

4-7

Low

Yellow

2-3

Informational

Dark Blue

1

None

Light Blue

0

To assign threat level to a policy, you will need to be in the policy edit mode (click on the editing icon). Next, use the drop down, which is located next to policy screen. This is displayed in Figure 3.7, “Policy Threat Level”.

figs/web/clm-server-policy-threat-level-edit.png

Figure 3.7. Policy Threat Level


When a threat level is selected by any component that has violated a policy will be displayed in the order of the severity of the violation. This is straight forward, but let’s take a look at the details and see where some issues can arise.

Just like taste is subjective, you have to realize that severity is subjective. What may be a level 10 for one part of the business may be quite different for another.

A bigger concern is what message you want to communicate to the recipients of the analysis. For example members of your team will naturally be inclined, to treat high severity as very important, and critical. If they see too many of these, the prospect of ever making any headway could be impacted in a negative way and you might dismay e.g. your developers to even get started on trying to fix the violations since there are just too many. As with any control mechanism it is probably advisable to be a bit lenient at first and start to get stricter at a later stage, when the worst problems are dealt with. Otherwise you could cause undue stress to development and management teams. The important thing is to keep in mind is how you will assign severity, and the impact it has on those reviewing violations.

Especially in the beginning, our recommendation is to reduce, if not exclude the high severity threat levels altogether. Remember, at the core, this number is purely for ordering how a violation will be displayed to a user of Sonatype CLM. Because this needs to be interpreted, the actual value is very subjective. It’s easy to overwhelm members of your team by seeing large numbers of highly severe violations. It might even be reasonable to set severity to the lowest setting for a violation (Low - 1) in the beginning. This way, members of your teams can get used to seeing the results that are produced.

In our example policy, architecture quality is pretty important, but it’s not the most important issue, so we’ll set this to a threat level of 7. This will give us a violation higher up in the display, but it’s certainly not the worst.

Tip

Remember, threat is subjective, and is most useful for ordering violations.

3.5.4. Step 4: Choose the Application Matching Parameters

In many cases, policies will be evaluated against all applications. However, as your applications become more diverse and there are various groups of applications with similar characteristics, you may find the need to develop policies for these specific cases. This will go hand-in-hand with the creation of tags, which application owners will apply to their applications.

Given the ability to create tags, there is an endless amount of refinement that can be done in order to focus a particular policy on a set of applications with similar characteristics. While we won’t get into the creation of tags here, thinking about this as a way to create more finely tuned policy is a good first step. For now, we’ll assume we have some pretty generalized architecture requirements for all applications, and want to make a policy that will match all applications in this organization.

figs/web/clm-server-policy-management-app-matching.png

3.5.5. Step 5: Create Constraints with Conditions

By now, we should know that an easy way to look at conditions is to consider them the "if" part of an "if/then" statement. In contrast, a constraint is not part of the statement, but rather a container for conditions. This can come in real handy when you want to consolidate a policy, by grouping similar conditions.

But why do this?

Well, for one thing, it reduces time. Next, because constraints are displayed on the application composition report, along with violations, it becomes easier for a member of your team to process information that is similar. Of course, it also has the added benefit of not having to create hundreds of small, "one-off" policies.

For example, in our Architecture Age and Quality policy, we may start with two conditions, one for age and one for popularity. This will work, but it’s likely better, especially if we want to expand that later on, we isolate these as separate constraints.

As a good practice, grouping similar conditions is the best way to build your constraints. Again, this will help de-clutter a multi-policy environment, as well as help someone reading any associated violations on the application composition report. For our example, we’ll place both conditions in the same constraint

  1. Click on the input field for the constraint name with the value Unnamed Constraint to expand the constraint.
  2. Enter Age and Popularity as the constraint name where the field initially displays Enter Constraint Name.

  3. Using the drop downs and the add (+) button, add two conditions.

    1. Age should be checked to be older than the value of 3 Years.
    2. Relative Popularity (Percentage) should set checked to be greater > than 50 percent.
  4. Select All in the drop down below the conditions as the aggregating rule so that all of the above conditions have to be fulfilled to trigger the constraint.

Now, before we move on, let’s take a look at some of the specific aspects of conditions that can tend to be a bit confusing.

Policy Type. Sonatype CLM has an algorithm for determining the type of policy you created. This type is based on the types of conditions you include and is mainly used in reporting purposes. For example the trending report aggregate the different policy types into separate lists. The rules to determine the type of a policy are:

  • If there are any security conditions, it is considered a security type policy.
  • If there are any license conditions, it is considered a license type policy.
  • If there are any age or popularity conditions, it is considered a quality type policy.
  • If there are any conditions not mentioned above, it is considered an other type policy.

Any vs. All. If a component meets any constraint, the policy is considered violated. However, inside each constraint, when you have more than one condition, you have the ability to require that a component must either meet all conditions or just any of the conditions to trigger a violation.

This is a straightforward concept, but it can produce vastly different results. For example, selecting Any as an option will tend to produce a lot more violations, it’s the equivalent of placing an or between each condition. In addition even if you resolve one violation for a component, if the component meets other conditions later on, it might cause it to still violate the policy. On the other hand, using All' allows you to establish that all conditions must be met. It’s like placing an and between each condition. In this case, if you address any of the conditions, the violation will be resolved.

Let’s look at an example that would further explain this, and then we will move on to creating conditions in our policy. Below, we have a couple of policies and a component. If we wanted to exclude components that were younger then four years and had less than fifty percent popularity, which would we want to use? Also, would the component listed violate this policy?

Policy 1 with Conditions
  • Age is < 4 years
  • Relative Popularity is ⇐ than 50%
  • Any of the above conditions trigger the constraint.
Policy 2 with Conditions
  • Age is < 4 years
  • Relative Popularity is ⇐ than 50%
  • All of the above conditions trigger the constraint.
Component Data
  • Age is 3 years
  • Relative Popularity is 85%

It may seem like these two policies are exactly the same, but there is a key difference, Any vs. All. So, our first policy states that if Any of the conditions are met that a violation will occur. Given that, our component violates this policy. This is good, but we only want a component to violate a policy when Age is less than three years, and popularity is below 50%. We understand that there may be circumstances where a component might need to fall outside one of those boundaries, but if it’s both, we know we have a problem. Our component is pretty popular, so it might be a case where this component, even though it is newer than we prefer, actually resolves an issue another component might have. For this reason, the best policy for us to choose is Policy 2, and our component would not actually cause a violation.

Available Conditions
The following list enumerates the available conditions and describes the operator and the value used for the evaluation.
Age
Verify if the components age based on the date it was placed in the Central Repository in months, days or years is older our younger than a specified value.
Coordinates (GAV)

Verify if the coordinates match or do not match using the syntax of groupId:artifactId:version.

The coordinates may be fixed, or a wildcard can be used. For example, org.sonatype.com:nexus-indexer:1.*. Here, components with a groupId of org.sonatype.com, an artifactId of nexus-indexer, and any version starting with 1. would be matched.

Additional Examples
  • A fixed coordinate: org.sonatype.nexus:nexus-indexer:1.0
  • A wildcard coordinate to an inclusive group and version: org.sonatype*:nexus-indexer:1.* - this condition would match, for example org.sonatypetest or org.sonatype.example, an artifact named nexus-indexer in these groups, and any version that starts with 1. for those groups and that specific artifact.

Note

The use of the wildcard is limited to the end of each parameter in the coordinate (GAV).

Identification Source
Verify if the component identification is or is not based on data from Sonatype or your Manual identification
Label
Verify if a label with a specific label name is or is not attached to a component
License
Verify if the component license is or is not a specified license. If the component license has been overridden, anything listed as declared or observed will be ignored. If license status is not overridden, then any occurrence of the selected license (observed or declared) will be considered a violation.
License Threat Group
Verify if the components license is or is not in one of the groups Banned, Copyleft, Liberal, Non Standard, Not Observed or Weak Copyleft. If the component license has been overridden anything listed as declared or observed will be ignored. If license status is not overridden, then any occurrence of the selected license (observed or declared) in the selected License Threat Group, will be considered a violation.
License Threat Group Level
Verify if the components license threat in its license threat group is either lesser <, lesser or equal <\=, greater > or greater or equal >= a specified value. Value range from zero for no threat to the highest threat level value of ten.
License Status
Verify if the user defined License Status is or is not one of the possible values of Open, Acknowledged, Not Applicable or Confirmed.
Match State
Verify if the match of the comparison of the component to known components from the Central Repository with the same coordinates is or is not exact, similar or unknown.
Proprietary
Verify if a component is or is not considered proprietary.
Relative Popularity (Percentage)
Verify if a the relative popularity of the component version as compared to other versions of the same component group and artifact parameter is either lesser <, lesser or equal <\=, greater > or greater or equal >= a specified percent value.
Security Vulnerability
Verify is a security vulnerability is present or absent. Keep in mind that just because there is no known, or present, security issue, doesn’t necessary mean none exists.
Security Vulnerability Severity
Verify if a security vulnerability with a numeric severity is either lesser <, lesser or equal <\=, greater > or greater or equal >= a specified value.
Security Vulnerability Status
Verify if a the components security vulnerability status is or is not one of the possible values of Open, Acknowledged, Not Applicable or Confirmed.

Now that you know about all the available conditions and how they can be combined to match all or any condition to create a constraint we are ready to determine what should happen if a constraint is met - the policy actions.

3.5.6. Step 6: Set Policy Actions

In order to understand Policy Actions, we first need to discuss enforcement points, something we mention in our other guides, as well as much of the material you have likely used to make your decision to move forward with Sonatype CLM.

An enforcement point is simply a stage in Component Lifecycle Management as well as a parallel point in the Software Development Lifecycle. Given a particular stage, we can evaluate components within an application, making sure that they meet our policies (rules) that have been designed to manage component consumption. For example, we can show developers when a component they are using is too old to meet our policy on component age.

The actions we take at these enforcement points (stages) can simply be passive; in other words, only displaying violation of our policy to us and/or notifying specific people when a violation occurs.

In contrast, they can also be active, such as preventing a staged build from moving into production. Of course the caveat here, is you will need the proper CLM product (or products) to match the supported enforcement point. Additionally, we need to be careful, not to disrupt the process of development, by too quickly exposing large numbers of high-threat violations.

For our example, we will add a notification action for our build stage.

  1. On the row for the Build stage, click on the Envelope icon in the Notifications column
  2. The Notifications dialog will display and allow you to provide email addresses that should be notified in the event of a policy violation

Tip

Notifications will only display new violations found in the latest scan. If you find yourself not receiving notification, verify there are new violations, as well as confirm you have configured your Sonatype CLM server SMTP settings.

With that out of the way, let’s also take a look at the supported enforcement points, or stages of the development cycle, as well as how actions are are best utilized in each one.

Develop - Integrated Development Environments (Eclipse)
In the first stage, Develop, the approach should be limited towards providing information, while at the same time ensuring development can continue. However, a developer can certainly see when components that don’t meet the policies of the business are being used, and make adjustments accordingly.

Note

Actions are currently selectable in this stage. However, they have no effect regardless of the tool used.

Build - Continuous Integration Servers /Ad Hoc Scanning (Hudson/Jenkins)
Next, the Build stage has options for both preventing a build, as well as simply warning. As you manage policy, making necessary adjustments over time, it’s best to take an approach that allows for your development teams to be eased into dealing with violations. For this reason, it’s better to start by simply warning when the build for an application contains components that violate your policies.
Stage Release
Stage Release is perhaps the most important stage to consider. The concept of a staged release involves placing a near final build into a staging repository prior to having it officially released. Because of this, it gives the opportunity to prevent an application from being released with components that have violated policy. Thus, setting the action for a Stage Release to Fail, is our recommendation.
Release
Release is the final push for a project into production. While there should be the closest scrutiny of policy violations at this point, there will be a similar recommendation to fail a release based on severe violations. In most cases, you should ideally be finding new violations only.

Tip

If you have setup policy monitoring, it is a good idea to monitor your release stage, as this is likely the best representation of your production application.

Operate
The operate stage can be set via a variety of tools, but in all of these cases, it is set manually. For this reason, providing any warning or fail actions will not produce any different result.

Now, given the above, the natural thing to do seems to fail the process from moving forward any time problems are found. However, that’s actually not the best approach for everyone, and it’s not one we recommend. Instead, only consider failing the Stage Release as we’ve recommended, and even then, only consider doing so for the most severe violations.

While it is possible to fail the Build stage, this might put an unwanted roadblock in the way of your development process. Even without failing a build, your team can always be aware of the violations and trouble spots, but at the same time, still progress forward. A good alternative to build failure, is instead adding a notification to a stage so that when a policy violation is encountered. This way, responsible parties are aware without needing to routinely review a report, or have their own process stopped by an interruption event, like failing a build.

3.5.7. Summary

Congratulations! You should now have setup a custom policy that checks for a specific age and popularity of all the components. If you’ve been using the stand alone scanner, or if you are already using other enforcement points, take a look at how your applications react to this new policy. Here are the highlights you should know about:

  • Create a Custom Policy
  • Understand Advantages of Multiple Constraints
  • Best Practices for Actions and Stages