Logo Sonatype CLM Sonatype CLM Server - Policy Management Guide
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM Server - Policy Management Guide

10.1. Sonatype Example Policies

The easiest way to establish policies for your applications is to use one of the policies packages provided by Sonatype. While these are not meant to be a perfect match for every business, they have been created with our extensive experience working with customers and developing policy for our own internal practices.

The policy packages can be downloaded here:

Note

The import files are simple JSON files and are only compatible with the latest version of the Sonatype CLM Server. Please review the Archives to access Downloads for your version of Sonatype CLM.

Alternatively you can find them in the documentation archive in the resources folder.

Let’s take a look at the various policies available.

Audit Policy Package
This audit policy package is an example of managing components for security, licensing, and architectural issues. It also introduces the detection of unknown and patched components used in building your applications. The audit policy package can be used to gather information about the components used to build your applications without warnings and failures occurring in the developer, continuous build, or Nexus environments. This is the perfect policy package to use in order to gather information and understand how policy management will work for your environment, without potentially distracting the people who are building and delivering your applications.

Note

This policy package includes several preset tags. The tags have been used in the Application Matching area for several of the included policies. Policies using the tags will be indicated by a special tag icon. In order to utilize the policies, you must have applied the corresponding tag to your application(s). For more information on tags, please see the Policy Elements section of our Policy Management Guide.

Enforce Policy Package
The enforcement policy package includes the same set of policies as the audit policy package, with the addition of enforcement actions. It also includes suggested enforcement actions based on the severity of issues being detected. If you plan to use the policy package, policy notification actions should be added to notify interested parties of policy violations. The notifications will not overwhelm the inbox as the system tracks which notifications have been sent and will not send duplicate notifications. If you are looking for a good starting point to ensure the components being used in your applications meet the defined policy before being released, you will want to use this policy package.

Note

This policy package includes several preset tags. The tags have been used in the Application Matching area for several of the included policies. Policies using the tags will be indicate by a special tag icon. In order to utilize the policies, you must have applied the corresponding tag to your application(s). For more information on tags, please see the Policy Elements section of our Policy Management Guide.

Note

This policy package includes three preset email addresses for notifications. You will want to open the JSON file and find and replace the following addresses before importing (ProjectLead@changeme.sonatype.com, LicenseTeam@changeme.sonatype.com, SecurityTeam@changeme.sonatype.com). This can be edited with in Sonatype CLM, but will be a more manual process.