Sonatype CLM - Release Notes
The latest version of Sonatype CLM is free for all existing users of Sonatype CLM. This includes the Sonatype CLM Server as well as the entire Sonatype CLM suite of tools (e.g. Sonatype CLM for Nexus).
The following updates are included in the 1.14 release:
- Notification panel to stay up-to-date on CLM announcements
- Optionally force authentication by tools, with new roles to restrict access
- Send notifications to roles as well as specific email addresses
- System logging of user actions
- Vulnerability details provided within the application report
- Eclipse plugin uses it’s own display engine to avoid issues with the system browser (here’s looking at you IE8)
Details, where applicable, have been included below.
Notification Panel
A new notification panel located next to the name of the logged-in user provides a mechanism for the Sonatype CLM development team to communicate directly with Sonatype CLM users. Look to this location for important announcements that affect your CLM Server.
Sonatype CLM Authorization
The Sonatype CLM Server provides extended functionality to a number of tools (e.g. Sonatype CLM for Nexus, Hudson, Jenkins, Bamboo, Eclipse, Maven, etc.). Previously these tools allowed limited, or no direct, authorization options when evaluating applications.
Starting with Sonatype CLM 1.14, CLM Server authorization for these tools is optional by default. This means a username and password can be entered if desired. Additionally, the Sonatype CLM Server can be configured to force authorization for all tools.
If you desire to turn off the anonymous access, we recommend you upgrade your Sonatype CLM Server first, and then follow with the various tools. In cases where you can’t upgrade the tools as quickly or easily as the Sonatype CLM Server, we recommend waiting until those tools are updated before forcing authorization.
The affected tools includes Sonatype CLM for:
- Bamboo
- CLI
- Hudson/Jenkins
- IDE (Eclipse)
- Maven
- Nexus
- SonarQube
Role-based Notifications and Monitoring
The Sonatype CLM Server allows notifications and monitoring to be configured such that when a policy violation occurs, users will be notified. Previously, policy notifications and monitoring required an email to be added.
In the Sonatype CLM 1.14 update, users can select a particular role in addition to entering a specific email. When policy violations occur, any user assigned to that role will be emailed. For additional information, please review the Policy Notifications and Monitoring documentation.
CLM Server Config Update
An update to the application log has been made. These changes provide a foundation for more detailed logging in the future. Previous users of Sonatype CLM who are upgrading to 1.14, and want to take advantage of this feature, will need to update their logFormat configuration.
Please review the config.yml file included with the Sonatype CLM Server
download. An example of the new logging is provided below.
2015-04-10 10:34:16,919-0400 INFO [qtp308511037-32 - GET /rest/productNotifications?timestamp=1428676456892] admin com.sonatype.insight.brain.notifications.HdsProductNotificationService - Updating notification cache from HDS
Vulnerability Details in Application Report
The Edit Security Vulnerability area of the Component Information Panel (CIP) located in the Application Composition Report has been modified. A new information column has been added with an icon in each row. Clicking on this icon will display a summary of the Security Vulnerability Information Sonatype has curated.
