Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

Table of Contents





Authors

Sonatype, Inc. Manfred Moser Jeff Wayman Bruce Mayhew Justin Young Kelly Robinson
Preface
1. Component Lifecycle Management
1.1. Introduction
1.2. Increasing Component Usage and Open Source Components
1.3. Security Vulnerability and License Compliance Risks
1.4. Complicating Factors for CLM
1.5. Stages of CLM Adoption and Performance
1.6. Requirements for CLM
1.7. Sonatype and Sonatype CLM
1.7.1. Who is Sonatype?
1.7.2. What is Sonatype CLM?
1.7.3. How does Sonatype CLM work?
1.7.4. Which component ecosystems does Sonatype CLM support?
1.8. Conclusion
2. Sonatype CLM Server
2.1. Introduction
2.2. Preparation and Installation
2.2.1. Hardware Prerequisites and Recommendations
2.2.2. Software Requirements
Operating System and Java Runtime Environment
Browser
2.2.3. Download
2.2.4. Installation
2.2.5. Starting CLM Server
2.2.6. License Installation
2.2.7. CLM Server Directories
2.2.8. Running CLM Server as a Service
2.2.9. Backup
2.2.10. Upgrading
2.3. Configuration
2.3.1. Initial Configuration of CLM Server
2.3.2. Running the CLM Server Behind a HTTP Proxy Server
2.3.3. Setting the Base URL
2.3.4. Appending a User Agent String
2.3.5. File Configuration
2.3.6. Email Configuration
2.3.7. Logging Configuration
2.3.8. HTTP Configuration
2.3.9. HTTPS/SSL
2.3.10. Anonymous Access
2.4. User Management
2.4.1. Logging in to Sonatype CLM
2.4.2. Viewing Notifications
2.4.3. Changing the Admin Password
2.4.4. Creating a User
2.4.5. Editing and Deleting User Information
2.5. LDAP Integration
2.5.1. Configuring the LDAP Server Connection
2.5.2. LDAP Configuration Parameters
2.5.3. Mapping LDAP Users to Sonatype CLM
2.5.4. LDAP User Parameters
2.5.5. Mapping LDAP Groups to Sonatype CLM
2.5.6. LDAP Group Parameters
Static Groups
Dynamic Groups
2.5.7. Verifying LDAP Configuration
Test Connection
Check User and Group Mapping
Check Login
2.6. Role Management (Permissions) Overview
2.6.1. Role Definitions
2.6.2. Mapping Roles
2.6.3. Excluding Groups from Search Results
2.7. Conclusion
3. Sonatype CLM Policy Management
3.1. Introduction
3.2. What is a Policy?
3.2.1. Basic Policy Anatomy
3.2.2. Organizations, Applications and Inheritance
3.2.3. Summary
3.3. Organization and Application Management
3.3.1. Organizational Structure
3.3.2. Creating an Organization
3.3.3. Creating an Application
3.3.4. Organization, Application, and Inheritance
3.3.5. The Power of Inheritance
3.3.6. Avoiding Policy Micromanagement
3.3.7. Permissions and Roles
3.3.8. Summary
3.4. Policy Development
3.4.1. Advanced Anatomy of a Policy
3.4.2. Risk and Organizational Intent
3.4.3. Summary
3.5. Policy Creation
3.5.1. Getting Started
3.5.2. Step 1: Understand the Policy Intent
3.5.3. Step 2: Decide on a Descriptive Policy Name
3.5.4. Step 3: Choose an Appropriate Threat Level
3.5.5. Step 4: Choose the Application Matching Parameters
3.5.6. Step 5: Create Constraints with Conditions
3.5.7. Step 6: Set Policy Actions And Notifications
Actions
Notifications
Stages
3.5.8. Summary
3.6. Policy Elements
3.6.1. What is a Label?
3.6.2. Creating, Editing and Deleting a Label
3.6.3. Creating a Condition Based on a Label
3.6.4. What is a License Threat Group?
3.6.5. Creating, Editing, and Deleting a License Threat Group
3.6.6. Creating a Condition Based on a License Threat Group
3.6.7. Creating a Condition Based on an Unassigned License Threat Group
3.6.8. What is a Tag?
3.6.9. Creating, Editing, and Deleting Tags
3.6.10. Applying a Tag
3.6.11. Matching Policies to Specific Applications
3.6.12. Viewing Tag-based Policies
3.6.13. Summary
3.7. Manual Application Evaluation
3.7.1. Evaluating via the CLM Server
3.7.2. Successful Evaluations and Report Generation
3.7.3. Summary
3.8. Reviewing Evaluation Results
3.8.1. Accessing the Application Composition Report
3.8.2. Reviewing the Report
3.8.3. Summary
3.9. Importing Policies
3.9.1. Sonatype Sample Policy Set
3.9.2. Importing a Policy to an Organization
3.9.3. Importing a Policy to an Application
3.9.4. Summary
3.10. Policy Monitoring
3.10.1. Setup Policy Monitoring for an Application
3.10.2. Configuring Notification Times
3.10.3. Summary
3.11. Conclusion
4. Reports in Sonatype CLM
4.1. Introduction
4.2. Application Composition Report Overview
4.2.1. Accessing an Application Composition Report
4.2.2. Reviewing a Report
4.2.3. Summary Tab
4.2.4. Policy Tab
4.2.5. Security Issues Tab
4.2.6. License Analysis Tab
4.2.7. Printing and Reevaluating the Report
4.2.8. The Component Information Panel (CIP)
4.2.9. Summary
4.3. Resolving Security Issues
4.3.1. Security Issues
4.3.2. The Component Information Panel (CIP)
4.3.3. Editing Vulnerability Status
4.3.4. Matching to Violations
4.3.5. Summary
4.4. License Analysis Tab
4.4.1. License Threat Group
4.4.2. License Analysis
4.4.3. The Component Information Panel (CIP)
4.4.4. Editing License Status and Information
4.4.5. Summary
4.5. Component Identification
4.5.1. Matching Components
4.5.2. Managing Proprietary Components
4.5.3. Claiming a Component
4.5.4. Summary
4.6. Label Overview
4.6.1. Where do labels begin?
4.6.2. Assigning a Label
4.6.3. Summary
4.7. Waivers
4.7.1. A Use Case for Waivers
4.7.2. Adding a Waiver
4.7.3. Viewing and Removing a Waiver
4.7.4. Summary
4.8. Policy Reevaluation
4.8.1. Summary
4.9. Sonatype CLM PDF Report
4.9.1. Creating the PDF
4.9.2. Reviewing the PDF
4.9.3. Summary
4.10. Conclusion
5. Sonatype CLM Server - Dashboard
5.1. Introduction
5.2. Accessing the Dashboard
5.3. Viewing CLM Data in the Dashboard
5.3.1. Filters
5.3.2. Visual Overview
5.3.3. Highest Risk Violations
Newest
By Component
By Application
5.4. Viewing Component Details
5.5. Conclusion
6. Sonatype CLM and Continuous Integration
6.1. What is Continuous Integration (CI)?
6.2. Sonatype CLM and Continuous Integration
6.3. Sonatype CLM for Hudson and Jenkins
6.3.1. Introduction
6.3.2. Installation
6.3.3. Global Configuration
6.3.4. Job Configuration
6.3.5. Inspecting Results
6.3.6. Conclusion
6.4. Sonatype CLM and Other CIs
6.5. Conclusion
7. Sonatype CLM for IDE
7.1. Introduction
7.2. Installing Sonatype CLM for Eclipse
7.3. Configuring Sonatype CLM for Eclipse
7.4. Using the Component Info View
7.4.1. Overview
7.4.2. Filtering the Component List
7.4.3. Searching for Component Usages
7.4.4. Inspecting Component Details
7.5. Migrating to Different Component Versions
7.6. Conclusion
8. Sonatype CLM for Repository Managers
8.1. Introduction
8.2. Nexus Pro - Sonatype CLM Edition
8.3. Nexus Pro and Sonatype CLM Integration
8.3.1. Introduction
8.3.2. Repository Health Check (RHC) vs. Sonatype CLM
8.3.3. Connecting Nexus to CLM Server
8.3.4. Configuring the CLM Server
8.3.5. Accessing CLM Component Information
8.3.6. The Component Information Panel (CIP)
8.3.7. Component Details (CLM)
8.4. Using CLM for Staging
8.4.1. Introduction
8.4.2. Staging Profile Configuration
8.4.3. Policy Actions
8.4.4. Release Repository Actions
8.5. Using Sonatype CLM for Maven
8.6. Conclusion
9. Sonatype CLM for SonarQube
9.1. Introduction
9.2. Sonatype CLM for SonarQube Requirements
9.3. Downloading, Installing, and Configuring
9.3.1. Install Sonatype CLM for SonarQube
9.3.2. Configure Sonatype CLM Server Settings
A Special Note About Proxy Configuration
9.3.3. Select the CLM Application
9.3.4. Add and Configure the Sonatype CLM Widget
9.4. Accessing the Application Composition Report
9.5. Conclusion
10. Sonatype CLM for CLI
10.1. Introduction
10.2. Downloading Sonatype CLM for CLI
10.3. Locating Your Application Identifier
10.4. Evaluating an Application
10.4.1. Additional Options
10.5. Example Evaluation
10.6. Using Sonatype CLM for CLI with a CI Server
10.7. Conclusion
11. Sonatype CLM for Maven
11.1. Introduction
11.2. Creating a Component Index
11.2.1. Excluding Module Information Files in Continuous Integration Tools
11.3. Creating a Component Info Archive for Nexus Pro CLM Edition
11.4. Evaluating Project Components with Sonatype CLM Server
11.5. Authentication
11.6. Simplifying Command Line Invocations
11.7. Skipping Executions
11.8. Using Sonatype CLM for Maven with Other IDEs
11.8.1. Maven Plugin Setup
11.8.2. IntelliJ IDEA
11.8.3. NetBeans IDE
11.9. Conclusion
A. Copyright

List of Figures

2.1. Installing a Product License on Sonatype CLM Server
2.2. Sonatype CLM Server End User License Agreement Window
2.3. Installed Product License on Sonatype CLM Server
2.4. Login
2.5. Create User
2.6. Edit User
2.7. Sample LDAP Server Configuration
2.8. User Mapping
2.9. Group Mapping
2.10. Dynamic Group Options
2.11. Testing LDAP Server
2.12. Checking User Mapping
2.13. Checking User Login
2.14. Mapping Users to roles
2.15. Mapping Groups When Not Included With Search
3.1. Using New Organization button
3.2. Using Global Create Button
3.3. Using New Application button
3.4. Using Global Create Button
3.5. Editing a Policy and its Attributes
3.6. Using New Policy Button
3.7. Using Global Create Button
3.8. Naming the Policy
3.9. Editing the Policy Threat Level
3.10. Example Constraint
3.11. Adding Constraints
3.12. Policy Actions Example
3.13. Policy Notifications Example
3.14. Using New Label Button
3.15. Using Global Create Button
3.16. Label Example
3.17. Creating a Label Condition
3.18. Using New License Threat Group Button
3.19. Using Global Create Button
3.20. Creating a License Threat Group
3.21. Creating a Condition Evaluating a License Threat Group
3.22. Creating a Condition Evaluating an unassigned License Threat Group
3.23. Example of Applied Tags
3.24. Using New Tag Button
3.25. Using Global Create Button
3.26. Creating a Tag
3.27. Example of Tags with Description
3.28. Evaluate an Application
3.29. Violations Report after Scan
3.30. Reporting Area
3.31. Application Area
3.32. Summary Tab of an Application Composition Report
3.33. Policy Tab of an Application Composition Report
3.34. Security Issues Tab of an Application Composition Report
3.35. License Analysis Tab of an Application Composition Report
3.36. Component Information Panel CIP for a Specific Component
3.37. Policy Section for a Specific Component Displayed on the Component Information Panel
3.38. Organization View with Import Button
3.39. Import Policy Dialog
3.40. Example of a Policy Monitoring Email
3.41. Access Application Management Area
3.42. Selecting a Sonatype CLM Stage to Monitor
3.43. Adding Email Recipient
3.44. Policy Monitoring Notification Example
3.45. Sample Email Notification
4.1. Summary Tab of the Application Composition Report
4.2. Reporting Area
4.3. Application Area
4.4. The Four Tabs
4.5. Security Issues Summary
4.6. License Analysis Summary
4.7. Policy Tab
4.8. Security Issues Tab
4.9. License Analysis Tab
4.10. Application Composition Report Buttons For Printing and Reevaluation
4.11. Component Information Panel CIP Example
4.12. CIP, Policy Section
4.13. CIP, Similar Section
4.14. CIP, Occurrences Section
4.15. CIP, Licenses Section
4.16. CIP, Edit Vulnerabilities Section
4.17. CIP, Labels Section
4.18. CIP, Claim Component
4.19. CIP, Audit
4.20. Security Issues Tab
4.21. Component Information Panel (CIP)
4.22. Security Information Modal
4.23. Editing Vulnerabilities
4.24. Example of Component with Security Issue, but No Policy Violation
4.25. License Analysis Tab
4.26. The Default License Threat Groups
4.27. Component Information Panel (CIP)
4.28. Editing License Using the Select Option
4.29. Unknown Component
4.30. Filter and Matching Options
4.31. Proprietary Component
4.32. Proprietary Packages Configuration via the Sonatype CLM Server
4.33. Claim a Component
4.34. Claimed Component Indicator
4.35. Update or Revoke Claimed Component Indicator
4.36. Labels at the CLM Server Level
4.37. Assigning a Label
4.38. Waiver Visualization on Policy Tab
4.39. Waiver Button
4.40. Options to Apply Waiver to the Application or the Entire Organization
4.41. View and Remove Waivers
4.42. Application Composition Report Buttons For Printing and Reevaluation
4.43. Summary Section of a Application Composition Report in PDF Format
4.44. Policy Violations Section of a Application Composition Report in PDF Format
4.45. Security Issues Section of a Application Composition Report in PDF Format
4.46. License Analysis Section of a Application Composition Report in PDF Format
4.47. Components Section of a Application Composition Report in PDF Format
5.1. Dashboard Default View
5.2. Accessing the Dashboard
5.3. Dashboard Filter Example
5.4. Filtering the Dashboard
5.5. Dashboard Visuals
5.6. Counts
5.7. Matches
5.8. Policy Violation Summary
5.9. Newest Risk
5.10. Highest Risk - By Component
5.11. Highest Risk - By Application
5.12. Component Detail Page
6.1. Jenkins Global Configuration Menu
6.2. Global Configuration of Sonatype CLM for CI in Jenkins
6.3. Sonatype CLM Build Scan Configuration for a Build Step
6.4. Post-build Action Configuration as Example for a Sonatype CLM for CI Configuration
6.5. Job Overview Page with Links to the Application Composition Report and Application Management
6.6. Left Menu with Link to the Application Composition Report
7.1. Eclipse Dialog to Install New Software with Sonatype CLM for Eclipse
7.2. Activating the Component Info View of Sonatype CLM for Eclipse
7.3. Warning after initial installation
7.4. Sonatype CLM for Eclipse Configuration Dialog
7.5. Example Component Info View
7.6. Details for a Component in the Component Info View
7.7. Properties of a Component for a Version Range
7.8. Filter Dialog for the Component Info View
7.9. Example Component Details Display
7.10. Migrating to a Newer Component Version
7.11. Applying a Dependency Version Upgrade
7.12. Selecting Dependency Version or Property Upgrade
7.13. Applying a Property Upgrade
8.1. The Central Role of A Repository Manager in Your Infrastructure
8.2. CLM configuration tab in Nexus
8.3. CLM configuration tab after Test Connection
8.4. Typical Search Results in Nexus Pro
8.5. Nexus Search Showing All Versions
8.6. Accessing the Component Info Tab
8.7. Component Information Panel
8.8. Component Information Panel Example
8.9. CIP Text
8.10. CIP Graph
8.11. View Details Button
8.12. View Details
8.13. Staging Profile with a CLM Application Configured
8.14. Staging and Release Configuration for a Policy in the CLM Server
8.15. Staging Repository Activity with a CLM Evaluation Failure and Details
9.1. SonarQube Overview
9.2. SonarQube Plugin Directory
9.3. SonarQube Settings Menu
9.4. SonarQube CLM Server Settings
9.5. SonarQube Sonatype CLM Configuration Menu
9.6. SonarQube Sonatype CLM Application Selection
9.7. SonarQube Configure Widgets Menu
9.8. SonarQube Search for CLM Widget
9.9. SonarQube Configure Sonatype CLM Widget options
9.10. SonarQube Sonatype CLM Widget Example
10.1. Application Overview and Application Identifier
10.2. Violations Report After an Evaluation
11.1. Creating a Maven Run Configuration for a CLM Evaluation in IntelliJ
11.2. Maven Projects View with the CLM Evalulation Run Configuration in IntelliJ
11.3. CLM for Maven Output in the Run Console in IntelliJ
11.4. Project View with the pom.xml in NetBeans
11.5. Maven Goal Setup for a CLM Evaluation in NetBeans
11.6. CLM for Maven Output in the Output Window in NetBeans