Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Enforcement Points
Continuous Integration (CI)
IDE
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

Table of Contents





Authors

Sonatype, Inc. Manfred Moser Jeff Wayman Bruce Mayhew Justin Young Kelly Robinson
Preface
1. Component Lifecycle Management
1.1. Introduction
1.2. Increasing Component Usage and Open Source Components
1.3. Security Vulnerability and License Compliance Risks
1.4. Complicating Factors for CLM
1.5. Stages of CLM Adoption and Performance
1.6. Requirements for CLM
1.7. Sonatype and Sonatype CLM
1.7.1. Who is Sonatype?
1.7.2. Sonatype CLM
1.8. Conclusion
2. Sonatype CLM Server
2.1. Introduction
2.2. Preparation and Installation
2.2.1. Hardware Prerequisites and Recommendations
2.2.2. Software Requirements
Operating System and Java Runtime Environment
Browser
2.2.3. Download
2.2.4. Installation
2.2.5. Starting CLM Server
2.2.6. License Installation
2.2.7. CLM Server Directories
2.2.8. Running CLM Server as a Service
2.2.9. Backup
2.2.10. Upgrading
2.3. Configuration
2.3.1. Initial Configuration of CLM Server
2.3.2. Running the CLM Server Behind a HTTP Proxy Server
2.3.3. Setting the Base URL
2.3.4. File Configuration
2.3.5. Email Configuration
2.3.6. Logging Configuration
2.3.7. HTTP Configuration
2.3.8. HTTPS/SSL
2.4. User Management
2.4.1. Logging in to Sonatype CLM
2.4.2. Changing the Admin Password
2.4.3. Creating a User
2.4.4. Editing and Deleting User Information
2.5. LDAP Integration
2.5.1. Configuring the LDAP Server Connection
2.5.2. LDAP Configuration Parameters
2.5.3. Mapping LDAP Users to Sonatype CLM
2.5.4. LDAP User Parameters
2.5.5. Mapping LDAP Groups to Sonatype CLM
2.5.6. LDAP Group Parameters
Static Groups
Dynamic Groups
2.5.7. Verifying LDAP Configuration
Test Connection
Check User and Group Mapping
Check Login
2.6. Role and Permission Management
2.6.1. Defining Organizations, Applications, and Inheritance
2.6.2. Understanding Roles and Permissions
2.6.3. Mapping Users to Roles
2.7. Conclusion
3. Sonatype CLM Policy Management
3.1. Introduction
3.2. What is a Policy?
3.2.1. Basic Policy Anatomy
3.2.2. Organizations, Applications and Inheritance
3.2.3. Summary
3.3. Organization and Application Management
3.3.1. Organizational Structure
3.3.2. Creating an Organization
3.3.3. Creating an Application
3.3.4. Organization, Application, and Inheritance
3.3.5. The Power of Inheritance
3.3.6. Avoiding Policy Micromanagement
3.3.7. Permissions and Roles
3.3.8. Summary
3.4. Policy Development
3.4.1. Advanced Anatomy of a Policy
3.4.2. Risk and Organizational Intent
3.4.3. Summary
3.5. Policy Creation
3.5.1. Getting Started
3.5.2. Step 1: Understand the Policy Intent
3.5.3. Step 2: Decide on a Descriptive Policy Name
3.5.4. Step 3: Choose an Appropriate Threat Level
3.5.5. Step 4: Choose the Application Matching Parameters
3.5.6. Step 5: Create Constraints with Conditions
3.5.7. Step 6: Set Policy Actions
3.5.8. Summary
3.6. Policy Elements
3.6.1. What is a Label?
3.6.2. Creating, Editing and Deleting a Label
3.6.3. Creating a Condition Based on a Label
3.6.4. What is a License Threat Group?
3.6.5. Creating, Editing, and Deleting a License Threat Group
3.6.6. Creating a Condition Based on a License Threat Group
3.6.7. What is a Tag?
3.6.8. Creating, Editing, and Deleting Tags
3.6.9. Applying a Tag
3.6.10. Matching Policies to Specific Applications
3.6.11. Viewing Tag-based Policies
3.6.12. Summary
3.7. Manual Application Evaluation
3.7.1. Evaluating via the CLM Server
3.7.2. Evaluating via the Stand-alone Scanner
Finding the Application ID
Using the Stand-alone Scanner
Additional Options
Stand-alone Scanner Example
3.7.3. Report Generation
3.7.4. Summary
3.8. Reviewing Evaluation Results
3.8.1. Accessing the Application Composition Report
3.8.2. Reviewing the Report
3.8.3. Summary
3.9. Importing Policies
3.9.1. Sonatype Example Policies
3.9.2. Importing a Policy to an Organization
3.9.3. Importing a Policy to an Application
3.9.4. Summary
3.10. Policy Monitoring
3.10.1. Setup Policy Monitoring for an Application
3.10.2. Configuring Notification Times
3.10.3. Summary
3.11. Conclusion
4. Reports in Sonatype CLM
4.1. Introduction
4.2. Application Composition Report Overview
4.2.1. Accessing an Application Composition Report
4.2.2. Reviewing a Report
4.2.3. Summary Tab
4.2.4. Policy Tab
4.2.5. Security Issues Tab
4.2.6. License Analysis Tab
4.2.7. Printing and Reevaluating the Report
4.2.8. The Component Information Panel (CIP)
4.2.9. Summary
4.3. Resolving Security Issues
4.3.1. Security Issues
4.3.2. The Component Information Panel (CIP)
4.3.3. Editing Vulnerability Status
4.3.4. Matching to Violations
4.3.5. Summary
4.4. License Analysis Tab
4.4.1. License Threat Group
4.4.2. License Analysis
4.4.3. The Component Information Panel (CIP)
4.4.4. Editing License Status and Information
4.4.5. Summary
4.5. Component Identification
4.5.1. Matching Components
4.5.2. Managing Proprietary Components
4.5.3. Claiming a Component
4.5.4. Summary
4.6. Label Overview
4.6.1. Where do labels begin?
4.6.2. Assigning a Label
4.6.3. Summary
4.7. Waivers
4.7.1. A Use Case for Waivers
4.7.2. Adding a Waiver
4.7.3. Viewing and Removing a Waiver
4.7.4. Summary
4.8. Policy Reevaluation
4.8.1. Summary
4.9. Sonatype CLM PDF Report
4.9.1. Creating the PDF
4.9.2. Reviewing the PDF
4.9.3. Summary
4.10. Conclusion
5. The Dashboard
5.1. Introduction
6. Sonatype CLM and Continuous Integration
6.1. What is Continuous Integration (CI)?
6.2. Sonatype CLM and Continuous Integration
6.3. Sonatype CLM for CI
6.3.1. Introduction
6.3.2. Installation
6.3.3. Global Configuration
6.3.4. Job Configuration
6.3.5. Inspecting Results
6.4. Sonatype CLM Command Line Scanner
6.4.1. Introduction
6.4.2. Downloading the Scanner
6.4.3. Locating Your Application Identifier
6.4.4. Setting Up the Scanner in Your CI
6.4.5. Summary
6.5. Sonatype CLM Maven Plugin
6.5.1. CLM Maven Plugin Introduction
6.5.2. Creating a Component Index for Sonatype CLM for CI
6.5.3. Creating a Component Info Archive for Nexus Pro CLM Edition
6.5.4. Evaluating Project Components with Sonatype CLM Server
6.5.5. Simplifying Command Line Invocations
6.5.6. Skipping CLM Maven Plugin Executions
6.6. Conclusion
7. Sonatype CLM for IDE
7.1. Introduction
7.2. Installing Sonatype CLM for Eclipse
7.3. Configuring Sonatype CLM for Eclipse
7.4. Using the Component Info View
7.4.1. Overview
7.4.2. Filtering the Component List
7.4.3. Searching for Component Usages
7.4.4. Inspecting Component Details
7.5. Migrating to Different Component Versions
7.6. Conclusion
8. Sonatype CLM for Repository Managers
8.1. Introduction
8.2. Nexus Pro - Sonatype CLM Edition
8.3. Nexus Pro and Sonatype CLM Integration
8.3.1. Introduction
8.3.2. Repository Health Check (RHC) vs. Sonatype CLM
8.3.3. Connecting Nexus to CLM Server
8.3.4. Configuring the CLM Server
8.3.5. Accessing CLM Component Information
8.3.6. The Component Information Panel (CIP)
8.3.7. Component Details (CLM)
8.4. Using CLM for Staging
8.4.1. Introduction
8.4.2. Staging Profile Configuration
8.4.3. Policy Actions
8.4.4. Release Repository Actions
8.5. Using CLM for Staging
8.5.1. Introduction
8.5.2. Creating a Component Info Archive for Nexus Pro CLM Edition
8.5.3. Skipping CLM Maven Plugin Executions
8.6. Conclusion
9. Sonatype CLM for SonarQube
9.1. Introduction
9.2. Downloading, Installing, and Configuring
9.2.1. Install Sonatype CLM for SonarQube
9.2.2. Configure Sonatype CLM Server Settings
A Special Note About Proxy Configuration
9.2.3. Select the CLM Application
9.2.4. Add and Configure the Sonatype CLM Widget
9.3. Accessing the Application Composition Report
9.4. Conclusion
A. Copyright

List of Figures

2.1. Installing a Product License on Sonatype CLM Server
2.2. Sonatype CLM Server End User License Agreement Window
2.3. Installed Product License on Sonatype CLM Server
2.4. Login
2.5. Create User
2.6. Edit User
2.7. Sample LDAP Server Configuration
2.8. User Mapping
2.9. Group Mapping
2.10. Dynamic Group Options
2.11. Testing LDAP Server
2.12. Checking User Mapping
2.13. Checking User Login
2.14. Inheritance and User Roles Overview
2.15. Example of Roles
2.16. Mapping Users to Roles
2.17. Mapping Groups When Not Included With Search
3.1. Using New Organization button
3.2. Using Global Create Button
3.3. Using New Application button
3.4. Using Global Create Button
3.5. Editing a Policy and its Attributes
3.6. Using New Policy Button
3.7. Using Global Create Button
3.8. Naming the Policy
3.9. Editing the Policy Threat Level
3.10. Example Constraint
3.11. Adding Constraints
3.12. Policy Actions Example
3.13. Setting Policy Actions
3.14. Using New Label Button
3.15. Using Global Create Button
3.16. Label Example
3.17. Creating a Label Condition
3.18. Using New License Threat Group Button
3.19. Using Global Create Button
3.20. Creating a License Threat Group
3.21. Creating a Condition Evaluating a License Threat Group
3.22. Example of Applied Tags
3.23. Using New Tag Button
3.24. Using Global Create Button
3.25. Creating a Tag
3.26. Example of Tags with Description
3.27. Evaluate an Application
3.28. Application Overview with Application Identifier
3.29. Violations Report after Scan
3.30. Reporting Area
3.31. Application Area
3.32. Summary Tab of an Application Composition Report
3.33. Policy Tab of an Application Composition Report
3.34. Security Issues Tab of an Application Composition Report
3.35. License Analysis Tab of an Application Composition Report
3.36. Component Information Panel CIP for a Specific Component
3.37. Policy Section for a Specific Component Displayed on the Component Information Panel
3.38. Organization View with Import Button
3.39. Import Policy Dialog
3.40. Example of a Policy Monitoring Email
3.41. Access Application Management Area
3.42. Selecting a Sonatype CLM Stage to Monitor
3.43. Adding Email Recipient
3.44. Sample Email Notification
4.1. Summary Tab of the Application Composition Report
4.2. Reporting Area
4.3. Application Area
4.4. The Four Tabs
4.5. Security Issues Summary
4.6. License Analysis Summary
4.7. Policy Tab
4.8. Security Issues Tab
4.9. License Analysis Tab
4.10. Application Composition Report Buttons For Printing and Reevaluation
4.11. Component Information Panel CIP Example
4.12. CIP, Policy Section
4.13. CIP, Similar Section
4.14. CIP, Occurrences Section
4.15. CIP, Licenses Section
4.16. CIP, Edit Vulnerabilities Section
4.17. CIP, Labels Section
4.18. CIP, Claim Component
4.19. CIP, Audit
4.20. Security Issues Tab
4.21. Component Information Panel (CIP)
4.22. Editing Vulnerabilities via CIP
4.23. Editing Multiple Vulnerabilities
4.24. Example of Component with Security Issue, but No Policy Violation
4.25. License Analysis Tab
4.26. The Default License Threat Groups
4.27. Component Information Panel (CIP)
4.28. Editing a Single License, Using Select Option
4.29. Unknown Component
4.30. Filter and Matching Options
4.31. Proprietary Component
4.32. Proprietary Packages Configuration via the Sonatype CLM Server
4.33. Claim a Component
4.34. Claimed Component Indicator
4.35. Update or Revoke Claimed Component Indicator
4.36. Labels at the CLM Server Level
4.37. Assigning a Label
4.38. Waiver Visualization on Policy Tab
4.39. Waiver Button
4.40. Options to Apply Waiver to the Application or the Entire Organization
4.41. View and Remove Waivers
4.42. Application Composition Report Buttons For Printing and Reevaluation
4.43. Summary Section of a Application Composition Report in PDF Format
4.44. Policy Violations Section of a Application Composition Report in PDF Format
4.45. Security Issues Section of a Application Composition Report in PDF Format
4.46. License Analysis Section of a Application Composition Report in PDF Format
4.47. Components Section of a Application Composition Report in PDF Format
5.1. Dashboard Default View
6.1. Jenkins Global Configuration Menu
6.2. Global Configuration of Sonatype CLM for CI in Jenkins
6.3. Sonatype CLM Build Scan Configuration for a Build Step
6.4. Post-build Action Configuration as Example for a Sonatype CLM for CI Configuration
6.5. Job Overview Page with Links to the Application Composition Report and Application Management
6.6. Left Menu with Link to the Application Composition Report
6.7. Application Overview and Application Identifier
7.1. Eclipse Dialog to Install New Software with Sonatype CLM for Eclipse
7.2. Activating the Component Info View of Sonatype CLM for Eclipse
7.3. Warning after initial installation
7.4. Sonatype CLM for Eclipse Configuration Dialog
7.5. Example Component Info View
7.6. Details for a Component in the Component Info View
7.7. Properties of a Component for a Version Range
7.8. Filter Dialog for the Component Info View
7.9. Example Component Details Display
7.10. Migrating to a Newer Component Version
7.11. Applying a Dependency Version Upgrade
7.12. Selecting Dependency Version or Property Upgrade
7.13. Applying a Property Upgrade
8.1. The Central Role of A Repository Manager in Your Infrastructure
8.2. CLM configuration tab in Nexus
8.3. Typical Search Results in Nexus Pro
8.4. Nexus Search Showing All Versions
8.5. Accessing the Component Info Tab
8.6. Component Information Panel
8.7. Component Information Panel Example
8.8. CIP Text
8.9. CIP Graph
8.10. View Details Button
8.11. View Details
8.12. Staging Profile with a CLM Application Configured
8.13. Staging and Release Configuration for a Policy in the CLM Server
8.14. Staging Repository Activity with a CLM Evaluation Failure and Details
9.1. SonarQube Overview
9.2. SonarQube Plugin Directory
9.3. SonarQube Settings Menu
9.4. SonarQube CLM Server Settings
9.5. SonarQube Sonatype CLM Configuration Menu
9.6. SonarQube Sonatype CLM Application Selection
9.7. SonarQube Configure Widgets Menu
9.8. SonarQube Search for CLM Widget
9.9. SonarQube Configure Sonatype CLM Widget options
9.10. SonarQube Sonatype CLM Widget Example