Optimized Component Lifecycle Management with Sonatype CLM
When businesses implement Sonatype CLM for the first time, they often rely heavily on looking over each individual application composition report. However, as your implementation of Sonatype CLM grows, even if just to a few dozen applications, you will discover that you start to compare the health of each of these applications to the others. It soon becomes very important to pick out the worst issues, those posing the greatest risk, and triage them first.
While this can be done by closely reviewing each report, and creating plans to address issues, there is an easier and more direct way to identify those issues which your team should be focusing on. This is done with the Sonatype CLM Trending Report. This report gathers data from every report that has been produced, for every application that Sonatype CLM is tracking. It then provides a range of data, including:
- Applications and components representing the greatest risk.
- Policy violations broken down by type - Security, License, Quality and Others
- Violation count changes and resulting trends over time.
This chapter will address how to access and run the trending report, as well as the major concepts mentioned above. In addition, it will breakdown each area of the Sonatype CLM Trending Report, to help you better understand the health of your applications, not just one at a time, but as they compare to all applications you monitor.
To access the Sonatype CLM Trending Report, log into your Sonatype CLM server with any user, and then…
-
Click the Reporting icon
.
- A menu will display on the left side of the browser window, click on Trending.
- The latest trending report similar to Figure 4.47, “Trending Report Overview” will be created and displayed.
The trending report runs automatically once you have accumulated data
within Sonatype CLM. While your available data may vary, especially in
the beginning, the report will show results from a revolving 20 day
period. The top right hand corner of the report visible in
Figure 4.48, “Running the Trending Report” displays when the report was last
generated. If you have made updates such as clearing violations, and
would like to refresh the information presented, click the
refresh button
beside the date. While data is refreshing, you will see a
progress/loading bar.
The Sonatype CLM Trending Report consists of several different sections:
- Policy and application overview
- Violation summary and trending
- Top component violations
- Component matching overview
The sections above are not labeled, but can be identified by different chart types and data that is presented to assist, each section has been highlighted below.
Policy and Application Overview. The policy and application overview section is located in the top left of the first page of the report. The first piece of information displayed is a total count of components found across all applications Sonatype CLM has scanned. Just below this count is a chart displaying the percentage of each type of match identified by Sonatype CLM.
- Exact Match
- Sonatype CLM has matched a component exactly to the one in your application.
- Partial Match
- Sonatype CLM has found more than one component that may match the component in your application.
- Unknown Match
- Sonatype CLM has been unable to identify the component in your application.
Finally, a total count of policies and applications configured in the Sonatype CLM server is given.
Listed below this information are Threat Levels and the list of applications representing the Highest Risk.
Violations Summary and Trending. The violations summary and trending section consists of the Threat Levels display, the list of Highest Risk applications, the Violations counts and the break down by policy type as well as the list of policies and the violations trending.
The Threat Levels chart displayed in Figure 4.50, “Threat Levels” shows the total number of policy violations for the severity levels of High, Medium, Low and None.
The Highest Risk section displayed in Figure 4.51, “Highest Risk Applications” lists the five applications posing the highest risk as determined by the number of policy violations for the different severity levels with actual number of violations displayed for each application.
The Violations summary report displayed in Figure 4.52, “Violation Summary by Policy Type” lists the total number of violations and breaks it down per severity as well as per policy type. While policies do not inherently have a type Sonatype CLM assigns a type based on conditions included within the policy using these rules:
- If there are any security conditions, it is considered a security type policy.
- If there are any license conditions, it is considered a license type policy.
- If there are any age or popularity conditions, it is considered a quality type policy.
- If there are any conditions not mentioned above, it is considered an other type policy.
The display of the Violation Summary by Policy in Figure 4.53, “Violation Summary by Policy” shows all policies as well as the total count of violations, and their increase / decrease (trending) over time. The columns in the report are Threat Level, Policy Name, Starting Violation Count, Most Recent Violation Count and Violation Change.
Top Component Violations. Starting at the top of the right column of the trending report, there are five charts highlighting the five components with the most violations:
- Top Violators
- Security Policy Violators
- License Policy Violators
- Quality Policy Violators
- Other Policies
All these reports are displaying the component identifier and the violations count for the severity levels with an example visible in Figure 4.54, “Top Violators”.
Excluding the Top Violators chart, which is simply the five components with the most violations across all policy types, the remaining charts use the calculation of risk outlined in Understanding Risk.
The list of Most Partial Matches displayed in Figure 4.55, “Partial Matches”show s the top five components that have been indicated as being matched partially by Sonatype CLM, as well as the number of partial matches that exists for each component.
A partial match in an application isn’t necessarily a bad thing. In many cases, it’s simply a case of the component getting rebuilt, and Sonatype CLM no longer can match it exactly to the version we have. However, this can also be a sign that malicious content may have made it into your application. For this reason, investigating partial matched components and understanding the reason for the partial, rather than exact match is an important aspect to investigate.
The calculation of risk is an estimation based on policies you have created, the threat levels of those policies, and any associated violations.
- High (Red) is considered a critical risk and is a count of policy violations with threat level of 8-10, multiplied by 100.
- Medium (Orange) is considered a sever risk and is a count of policy violations with a threat level of 5-7, multiplied by 20.
- Low (Yellow) is considered a moderate risk and is a count of policy violations with a threat level of 1-4, multiplied by 5.
- None (Blue) is considered no risk, and means only policies with an assigned threat level of 0 have been violated.