Sonatype CLM Server - Policy Management

Table of Contents





Authors

Sonatype, Inc. Manfred Moser Jeff Wayman Bruce Mayhew Justin Young Kelly Robinson

1. Introduction
2. What is Sonatype CLM?
2.1. The Four Criteria of Governance
2.2. Enforcement Points and Communication
2.3. Summary
3. What is a Policy?
3.1. Basic Policy Anatomy
3.2. Organizations, Applications and Inheritance
3.3. Summary
4. Organization and Application Management
4.1. Organizational Structure
4.2. Creating an Organization
4.3. Creating an Application
4.4. Organization, Application, and Inheritance
4.5. The Power of Inheritance
4.6. Avoiding Policy Micromanagement
4.7. Permissions and Roles
4.8. Summary
5. Policy Development
5.1. Advanced Anatomy of a Policy
5.2. Risk and Organizational Intent
5.3. Summary
6. Policy Creation
6.1. Getting Started
6.2. Step 1: Understand the Policy Intent
6.3. Step 2: Decide on a Descriptive Policy Name
6.4. Step 3: Choose an Appropriate Threat Level
6.5. Step 4: Choose the Application Matching Parameters
6.6. Step 5: Create Constraints with Conditions
6.7. Step 6: Set Policy Actions
6.8. Summary
7. Policy Elements
7.1. What is a Label?
7.2. Creating, Editing and Deleting a Label
7.3. Creating a Condition Based on a Label
7.4. What is a License Threat Group?
7.5. Creating, Editing, and Deleting a License Threat Group
7.6. Creating a Condition Based on a License Threat Group
7.7. Creating a Condition Based on an Unassigned License Threat Group
7.8. What is a Tag?
7.9. Creating, Editing, and Deleting Tags
7.10. Applying a Tag
7.11. Matching Policies to Specific Applications
7.12. Viewing Tag-based Policies
7.13. Summary
8. Manual Application Evaluation
8.1. Evaluating via the CLM Server
8.2. Successful Evaluations and Report Generation
8.3. Summary
9. Reviewing Evaluation Results
9.1. Accessing the Application Composition Report
9.2. Reviewing the Report
9.3. Summary
10. Importing Policies
10.1. Sonatype Sample Policy Set
10.2. Importing a Policy to an Organization
10.3. Importing a Policy to an Application
10.4. Summary
11. Policy Monitoring
11.1. Setup Policy Monitoring for an Application
11.2. Configuring Notification Times
11.3. Summary
12. Conclusion

List of Figures

4.1. Using New Organization button
4.2. Using Global Create Button
4.3. Using New Application button
4.4. Using Global Create Button
5.1. Editing a Policy and its Attributes
6.1. Using New Policy Button
6.2. Using Global Create Button
6.3. Naming the Policy
6.4. Editing the Policy Threat Level
6.5. Example Constraint
6.6. Adding Constraints
6.7. Policy Actions Example
6.8. Setting Policy Actions
7.1. Using New Label Button
7.2. Using Global Create Button
7.3. Label Example
7.4. Creating a Label Condition
7.5. Using New License Threat Group Button
7.6. Using Global Create Button
7.7. Creating a License Threat Group
7.8. Creating a Condition Evaluating a License Threat Group
7.9. Creating a Condition Evaluating an unassigned License Threat Group
7.10. Example of Applied Tags
7.11. Using New Tag Button
7.12. Using Global Create Button
7.13. Creating a Tag
7.14. Example of Tags with Description
8.1. Evaluate an Application
8.2. Violations Report after Scan
9.1. Reporting Area
9.2. Application Area
9.3. Summary Tab of an Application Composition Report
9.4. Policy Tab of an Application Composition Report
9.5. Security Issues Tab of an Application Composition Report
9.6. License Analysis Tab of an Application Composition Report
9.7. Component Information Panel CIP for a Specific Component
9.8. Policy Section for a Specific Component Displayed on the Component Information Panel
10.1. Organization View with Import Button
10.2. Import Policy Dialog
11.1. Example of a Policy Monitoring Email
11.2. Access Application Management Area
11.3. Selecting a Sonatype CLM Stage to Monitor
11.4. Adding Email Recipient
11.5. Sample Email Notification