The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
In order to evaluate an application, you need to have created at least one organization and one application, as well as created or imported at least one policy at either the organization or application level. You will also need to make sure you have the proper permissions to view report information for the application you wish to evaluate.
While evaluations can be initiated from various tools featuring CLM integration (e.g. Sonatype CLM for CI, IDE, and Nexus Pro), the quickest way to get started is to perform an evaluation via the CLM server.
This will generate a report for your application quite easily, and is a great way to create a quick baseline of your application’s health.
As mentioned previously, before you can evaluate an application, you will need to make sure you have:
- Created an organization
- Created an application
- Imported or created a policy
With the above complete, you are ready to evaluate an application via the CLM Server.
- First, log in to the CLM Server. At a minimum you will need to be a member of the Application Owner role.
-
Next, click the Organizational Design icon
to access the
Organizational Design area. Once there, click Applications (located in the
menu on the left side of the screen), and then choose an application.
-
In the top right of the Application Management area, click the Evaluate an
Application icon
.
-
A modal dialog will display providing a number of required fields.
- First, choose the bundle (application) you want evaluated. Clicking Choose File will allow you to browse your directories for the application you wish to evaluate.
- Next, choose the application in Sonatype CLM you want to associate with the evaluation. By default, this will be pre-populated with the name of the application you first selected.
- After choosing the application to evaluate, you will need to specify the stage, this will affect where the report is displayed, and will overwrite the most recent report for the application and stage selected.
- Finally, if you have configured notifications for your policy, or policies, you can choose whether or not you want those notifications sent.
- Click the Upload button to begin evaluating the chosen application.
- The Evaluation Status will display, showing you the progress of your evaluation. When complete, you can click the View Report button to view the results of your evaluation.
![[Note]](images/icons/note.png){kind=icon}
|
|
|
You can also evaluate an application via the Organizations area, simply click on Organizations instead of Applications and follow the instructions from there. You will still need to have created an application, and the application won’t be pre-filled for you in the form. |
If your evaluation completed successfully, a report will be generated for the application.
The log output of the command execution will provide a summary as well as a link to the produced results similar to
[INFO] Policy Action: Warning [INFO] Summary of policy violations: 4 critical, 85 severe, 46 moderate [INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/my-app/report/95c4c14e
This report is available on the Sonatype CLM Server in the Reports section. If you kept our defaults, the report will be listed under the Build Stage. So, what are you waiting for? You should see something similar to the results displayed in Figure 3.29, “Violations Report after Scan”
|
|
|
|
As mentioned previously, if you specify a stage not represented by in the Sonatype CLM Server, there will not be a visible link to the report. |
Did you get a chance to evaluate some application? Pretty simple right? Your main goal should be to scan an application, which will vet components against the policy assigned either at the organization or application level. If you haven’t already, be sure to go to the Sonatype CLM Server, and check out the results of your report.