Optimized Component Lifecycle Management with Sonatype CLM
You will likely find a number of consistent themes through the Sonatype CLM documentation. One of these is that regular policy review and refinement should be part of your companies approach to component lifecycle management.
Accomplishing this successfully could potentially mean regularly rebuilding applications or publishing them to repositories several times over. Not to mention that in the case of waiting for builds, you might wait hours before a scan is able to run.
This isn’t an issue linked to Sonatype CLM, but rather the length of time it takes to build your application. No matter the reason, it really means access to the new results could be delayed, and the change you made to policy or statuses might not have even made a difference. You’ll soon need to make another change, and then wait again. Luckily there is an alternative provided by Sonatype CLM. It allows you to reevaluate the results of a scan in the form of an application composition reports, which will use the existing component information from a scan and evaluate it against the current policies - which you might have changed since the last build and analysis.
To address this, you can use policy reevaluation to see how your changes affect the current policy. The policy reevaluation button, locate in the top right of the application composition report (to the left of the PDF Export/Printer icon). Simply click this button displayed in Figure 4.41, “Application Composition Report Buttons For Printing and Reevaluation”, and any policy changes you’ve made will be considered against the data of the current report.
Alternatively you can reevaluate policies right from the application configuration screen in the Sonatype CLM server. Simply find your application, and locate the stages report you want to re-evaluate under the application name beside the icon. Any stage that had a report processed will have a reevaluation icon right beside the stage name.
Of course, it’s possible other data in the application could have changed, and that might not be realized until the next build. However, this will give you a good idea of how immediate policy changes impact any violations you currently have.
Note
Policy Reevaluation will not enact any actions you may have attached to your policies.
When you are first developing and making changes to your policy, it’s best to choose an application with a short build time. If that’s not possible, the Reevaluation button can be a real time saver. Remember though, reevaluation simply applies policy to the most recent scan results. If someone has process a new build, you could be looking at those changes.