Logo Sonatype CLM Sonatype CLM Server - Policy Management
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM Server - Policy Management

6.4. Step 3: Choose an Appropriate Threat Level

Threat level is one of the easiest concepts we’ll cover in this guide, yet it has the greatest chance to cause huge problems. At it’s core, this is simply a value for severity your business associates with a given policy. These values range from 1 to 10, each corresponding to range of severity, and a specific color:

Table 6.1. Threat Levels

High

Red

8-10

Medium

Orange

4-7

Low

Yellow

2-3

Informational

Dark Blue

1

None

Light Blue

0

To assign threat level to a policy, you will need to be in the policy edit mode (click on the editing icon). Next, use the drop down, which is located next to policy screen. This is displayed in Figure 6.4, “Editing the Policy Threat Level”.

figs/web/clm-server-policy-threat-level-edit.png

Figure 6.4. Editing the Policy Threat Level


When a threat level is selected by any component that has violated a policy will be displayed in the order of the severity of the violation. This is straight forward, but let’s take a look at the details and see where some issues can arise.

Just like taste is subjective, you have to realize that severity is subjective. What may be a level 10 for one part of the business may be quite different for another.

A bigger concern is what message you want to communicate to the recipients of the analysis. For example members of your team will naturally be inclined, to treat high severity as very important, and critical. If they see too many of these, the prospect of ever making any headway could be impacted in a negative way and you might dismay e.g. your developers to even get started on trying to fix the violations since there are just too many. As with any control mechanism it is probably advisable to be a bit lenient at first and start to get stricter at a later stage, when the worst problems are dealt with. Otherwise you could cause undue stress to development and management teams. The important thing is to keep in mind is how you will assign severity, and the impact it has on those reviewing violations.

Especially in the beginning, our recommendation is to reduce, if not exclude the high severity threat levels altogether. Remember, at the core, this number is purely for ordering how a violation will be displayed to a user of Sonatype CLM. Because this needs to be interpreted, the actual value is very subjective. It’s easy to overwhelm members of your team by seeing large numbers of highly severe violations. It might even be reasonable to set severity to the lowest setting for a violation (Low - 1) in the beginning. This way, members of your teams can get used to seeing the results that are produced.

In our example policy, architecture quality is pretty important, but it’s not the most important issue, so we’ll leave the default threat level of 5. This will give us a violation higher up in the display, but it’s certainly not the worst.

[Tip]

Remember, threat is subjective, and is most useful for ordering violations.