Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Upgrade Instructions
Requirements

The Sonatype CLM Book - Optimized Component Lifecycle Management
HTML
PDF

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
Eclipse
Maven
Nexus
SonarQube

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

Table of Contents

Preface
1. How to Use This Book
2. Downloads
3. Sonatype CLM - Requirements
3.1. CLM Server
3.2. CLM Web Application
3.3. REST API Versioning
3.4. Command Line Scanner Requirements
3.5. Sonatype CLM for Eclipse Requirements
3.6. Sonatype CLM for Hudson / Jenkins Requirements
3.7. Sonatype CLM for Maven Requirements
3.8. Sonatype CLM for Nexus Pro Requirements
3.9. Sonatype CLM for SonarQube Requirements
4. Component Lifecycle Management
4.1. Increasing Component Usage and Open Source Components
4.2. Security Vulnerability and License Compliance Risks
4.3. Complicating Factors for CLM
4.4. Stages of CLM Adoption and Performance
4.5. The Four Requirements for True Component Lifecycle Management
4.6. Sonatype and Sonatype CLM
4.6.1. Who is Sonatype?
4.6.2. What is Sonatype CLM?
4.6.3. How does Sonatype CLM work?
4.6.4. Which component ecosystems does Sonatype CLM support?
4.7. Conclusion
5. Sonatype CLM - Server Setup
5.1. CLM Server Installation and Configuration
5.1.1. Starting CLM Server
5.1.2. License Installation
5.1.3. CLM Server Directories
5.1.4. Running the CLM Server as a Service
5.2. Configuration
5.2.1. Initial Configuration of CLM Server
5.2.2. Running the CLM Server Behind a HTTP Proxy Server
5.2.3. Setting the Base URL
5.2.4. Appending a User Agent String
5.2.5. File Configuration
5.2.6. Email Configuration
5.2.7. Logging Configuration
5.2.8. HTTP Configuration
5.2.9. HTTPS/SSL
5.2.10. Anonymous Access
5.3. Backing Up the CLM Server
5.4. Upgrading the CLM Server
5.4.1. Upgrade Paths
Upgrading from Sonatype CLM 1.9x or Later
Upgrading from Sonatype CLM 1.8x
Upgrading from Sonatype CLM 1.7x and 1.6x::
Upgrading from Sonatype CLM 1.5x or Earlier
6. Sonatype CLM - Security Administration
6.1. User Management
6.1.1. Logging in to Sonatype CLM
6.1.2. Viewing Notifications
6.1.3. Changing the Admin Password
6.1.4. Creating a User
6.1.5. Editing and Deleting User Information
6.2. LDAP Integration
6.2.1. Configuring the LDAP Server Connection
6.2.2. LDAP Configuration Parameters
6.2.3. Mapping LDAP Users to Sonatype CLM
6.2.4. LDAP User Parameters
6.2.5. Mapping LDAP Groups to Sonatype CLM
6.2.6. LDAP Group Parameters
Static Groups
Dynamic Groups
6.2.7. Verifying LDAP Configuration
Test Connection
Check User and Group Mapping
Check Login
6.3. Role Management
6.3.1. Viewing Role and Permission Descriptions
6.3.2. Assigning Users to Roles
6.3.3. Creating Custom Roles
6.3.4. Excluding Groups from Search Results
7. Sonatype CLM - Policy Management
7.1. Organization and Application Management
7.1.1. Organizational Structure
7.1.2. Creating an Organization
7.1.3. Creating an Application
7.1.4. Organization, Application, and Inheritance
7.1.5. Avoiding Policy Micromanagement
7.2. Policy Development
7.2.1. Advanced Anatomy of a Policy
7.2.2. Risk and Organizational Intent
7.3. Policy Creation
7.3.1. Step 1: Understand the Policy Intent
7.3.2. Step 2: Decide on a Descriptive Policy Name
7.3.3. Step 3: Choose an Appropriate Threat Level
7.3.4. Step 4: Choose the Application Matching Parameters
7.3.5. Step 5: Create Constraints with Conditions
7.3.6. Step 6: Set Policy Actions And Notifications
Actions
Notifications
Stages
7.4. Policy Elements
7.5. Labels
7.5.1. Creating, Editing and Deleting a Label
7.5.2. Creating a Condition Based on a Label
7.6. License Threat Groups
7.6.1. Creating, Editing, and Deleting a License Threat Group
7.6.2. Creating a Condition Based on a License Threat Group
7.6.3. Creating a Condition Based on an Unassigned License Threat Group
7.6.4. Tags
7.6.5. Creating, Editing, and Deleting Tags
7.6.6. Applying a Tag
7.6.7. Matching Policies to Specific Applications
7.6.8. Viewing Tag-based Policies
7.7. Evaluating via the CLM Server
7.8. Reviewing Evaluation Results
7.9. Importing Policies
7.9.1. Sonatype Sample Policy Set
7.9.2. Importing a Policy to an Organization
7.9.3. Importing a Policy to an Application
7.10. Policy Monitoring
7.10.1. Setup Policy Monitoring for an Application
7.10.2. Configuring Notification Times
8. Sonatype CLM - Dashboard
8.1. Accessing the Dashboard
8.2. Viewing CLM Data in the Dashboard
8.2.1. Filters
8.2.2. Visual Overview
8.3. Highest Risk Violations
8.3.1. Newest
8.3.2. By Component
8.3.3. By Application
8.4. Viewing Component Details
9. Sonatype CLM - Report
9.1. Accessing an Application Composition Report
9.2. Reviewing a Report
9.2.1. Summary Tab
9.2.2. Policy Tab
9.2.3. Security Issues Tab
9.2.4. License Analysis Tab
9.3. Printing and Reevaluating the Report
9.4. The Component Information Panel (CIP)
9.5. Resolving Security Issues
9.5.1. Security Issues
9.5.2. The Component Information Panel (CIP)
9.5.3. Editing Vulnerability Status
9.5.4. Matching to Violations
9.6. License Analysis Tab
9.6.1. License Threat Group
9.6.2. License Analysis
9.6.3. The Component Information Panel (CIP)
9.6.4. Editing License Status and Information
9.7. Component Identification
9.7.1. Matching Components
9.7.2. Managing Proprietary Components
9.7.3. Claiming a Component
9.8. Label Overview
9.8.1. Where do labels begin?
9.8.2. Assigning a Label
9.9. Waivers
9.9.1. A Use Case for Waivers
9.9.2. Adding a Waiver
9.9.3. Viewing and Removing a Waiver
9.10. Policy Reevaluation
9.11. Sonatype CLM PDF Report
9.11.1. Creating the PDF
9.11.2. Reviewing the PDF
10. Sonatype CLM and Repository Management
11. Sonatype CLM for Nexus Pro
11.1. Repository Health Check (RHC) vs. Sonatype CLM
11.2. Connecting Nexus to CLM Server
11.3. Accessing CLM Component Information
11.4. The Component Information Panel (CIP)
11.5. Component Details (CLM)
11.6. Sonatype CLM for Nexus Staging
11.6.1. Staging Profile Configuration
11.6.2. Policy Actions for Staging
11.7. Policy Actions for Release Repositories
12. Sonatype CLM and Continuous Integration
13. Sonatype CLM for Bamboo
13.1. Install Sonatype CLM for Bamboo
13.2. Configure Sonatype CLM for Bamboo
13.3. Adding the Sonatype CLM Analysis Task
13.4. Reviewing CLM Policy Results
14. Sonatype CLM for Hudson and Jenkins
14.1. Installation
14.2. Global Configuration
14.3. Job Configuration
14.4. Inspecting Results
15. Sonatype CLM and IDEs
16. Sonatype CLM for Eclipse
16.1. Installing Sonatype CLM for Eclipse
16.2. Configuring Sonatype CLM for Eclipse
16.3. Using the Component Info View
16.4. Filtering the Component List
16.5. Searching for Component Usages
16.6. Inspecting Component Details
16.7. Migrating to Different Component Versions
17. Sonatype CLM for SonarQube
17.1. Installation
17.2. Configuration
17.3. Proxy Configuration
17.4. Select the CLM Application
17.5. Add and Configure the Sonatype CLM Widget
17.6. Accessing the Application Composition Report
18. Sonatype CLM for CLI
18.1. Downloading Sonatype CLM for CLI
18.2. Locating Your Application Identifier
18.3. Evaluating an Application
18.3.1. Additional Options
18.4. Example Evaluation
18.5. Using Sonatype CLM for CLI with a CI Server
19. Sonatype CLM for Maven
19.1. Evaluating Project Components with Sonatype CLM Server
19.1.1. Authentication
19.1.2. Simplifying Command Line Invocations
19.1.3. Skipping Executions
19.2. Creating a Component Index
19.2.1. Excluding Module Information Files in Continuous Integration Tools
19.3. Creating a Component Info Archive for Nexus Pro CLM Edition
19.4. Using Sonatype CLM for Maven with Other IDEs
19.4.1. Maven Plugin Setup
19.4.2. IntelliJ IDEA
19.4.3. NetBeans IDE
20. Sonatype CLM REST APIs
20.1. Component Search REST APIs (v1)
20.2. Component Information API (v1)
20.3. Application REST APIs (v1)
20.4. Violation REST API (v1)
20.5. Supported Component Identifiers
20.6. Component Search REST APIs (v2)
20.7. Component Information API (v2)
20.8. Component Evaluation REST APIs (v2)
20.9. Application REST APIs (v2)
20.10. Violation REST API (v2)
20.11. Reports REST API (v2)
A. Copyright

List of Figures

5.1. Installing a Product License on Sonatype CLM Server
5.2. Sonatype CLM Server End User License Agreement Window
5.3. Installed Product License on Sonatype CLM Server
5.4. Application Without Organization v.1.8 UI
5.5. Application Without Organization v.1.7 and Earlier UI
6.1. Login
6.2. Create User
6.3. Edit User
6.4. Sample LDAP Server Configuration
6.5. User Mapping
6.6. Group Mapping
6.7. Dynamic Group Options
6.8. Testing LDAP Server
6.9. Checking User Mapping
6.10. Checking User Login
6.11. Role and Permission Descriptions
6.12. Assigning Users to Roles
6.13. Assigning Groups Manual Search
7.1. Using New Organization button
7.2. Using Global Create Button
7.3. Using New Application button
7.4. Using Global Create Button
7.5. Editing a Policy and its Attributes
7.6. Using New Policy Button
7.7. Using Global Create Button
7.8. Naming the Policy
7.9. Editing the Policy Threat Level
7.10. Example Constraint
7.11. Adding Constraints
7.12. Policy Actions Example
7.13. Policy Notifications Example
7.14. Using New Label Button
7.15. Using Global Create Button
7.16. Label Example
7.17. Creating a Label Condition
7.18. Using New License Threat Group Button
7.19. Using Global Create Button
7.20. Creating a License Threat Group
7.21. Creating a Condition Evaluating a License Threat Group
7.22. Creating a Condition Evaluating an unassigned License Threat Group
7.23. Example of Applied Tags
7.24. Using New Tag Button
7.25. Using Global Create Button
7.26. Creating a Tag
7.27. Example of Tags with Description
7.28. Evaluate an Application
7.29. Violations Report after Scan
7.30. Reporting Area
7.31. Application Area
7.32. Summary Tab of an Application Composition Report
7.33. Policy Tab of an Application Composition Report
7.34. Security Issues Tab of an Application Composition Report
7.35. License Analysis Tab of an Application Composition Report
7.36. Component Information Panel CIP for a Specific Component
7.37. Policy Section for a Specific Component Displayed on the Component Information Panel
7.38. Organization View with Import Button
7.39. Import Policy Dialog
7.40. Example of a Policy Monitoring Email
7.41. Access Application Management Area
7.42. Selecting a Sonatype CLM Stage to Monitor
7.43. Adding Email Recipient
7.44. Policy Monitoring Notification Example
7.45. Sample Email Notification
8.1. Dashboard Default View
8.2. Accessing the Dashboard
8.3. Dashboard Filter Example
8.4. Filtering the Dashboard
8.5. Dashboard Visuals
8.6. Counts
8.7. Matches
8.8. Policy Violation Trends
8.9. Newest Risk
8.10. Highest Risk - By Component
8.11. Highest Risk - By Application
8.12. Component Detail Page
9.1. Summary Tab of the Application Composition Report
9.2. Reporting Area
9.3. Application Area
9.4. The Four Tabs
9.5. Security Issues Summary
9.6. License Analysis Summary
9.7. Policy Tab
9.8. Security Issues Tab
9.9. License Analysis Tab
9.10. Application Composition Report Buttons For Printing and Reevaluation
9.11. Component Information Panel CIP Example
9.12. CIP, Policy Section
9.13. CIP, Similar Section
9.14. CIP, Occurrences Section
9.15. CIP, Licenses Section
9.16. CIP, Edit Vulnerabilities Section
9.17. CIP, Labels Section
9.18. CIP, Claim Component
9.19. CIP, Audit
9.20. Security Issues Tab
9.21. Component Information Panel (CIP)
9.22. Security Information Modal
9.23. Editing Vulnerabilities
9.24. Example of Component with Security Issue, but No Policy Violation
9.25. License Analysis Tab
9.26. The Default License Threat Groups
9.27. Component Information Panel (CIP)
9.28. Editing License Using the Select Option
9.29. Unknown Component
9.30. Filter and Matching Options
9.31. Proprietary Component
9.32. Proprietary Packages Configuration via the Sonatype CLM Server
9.33. Claim a Component
9.34. Claimed Component Indicator
9.35. Update or Revoke Claimed Component Indicator
9.36. Labels at the CLM Server Level
9.37. Assigning a Label
9.38. Waiver Visualization on Policy Tab
9.39. Waiver Button
9.40. Options to Apply Waiver to the Application or the Entire Organization
9.41. View and Remove Waivers
9.42. Application Composition Report Buttons For Printing and Reevaluation
9.43. Summary Section of a Application Composition Report in PDF Format
9.44. Policy Violations Section of a Application Composition Report in PDF Format
9.45. Security Issues Section of a Application Composition Report in PDF Format
9.46. License Analysis Section of a Application Composition Report in PDF Format
9.47. Components Section of a Application Composition Report in PDF Format
10.1. The Central Role of A Repository Manager in Your Infrastructure
11.1. CLM configuration tab in Nexus
11.2. CLM configuration tab after Test Connection
11.3. Typical Search Results in Nexus Pro
11.4. Nexus Search Showing All Versions
11.5. Accessing the Component Info Tab
11.6. Component Information Panel
11.7. Component Information Panel Example
11.8. CIP Text
11.9. CIP Graph
11.10. View Details Button
11.11. View Details
11.12. Staging Profile with a CLM Application Configured
11.13. Staging and Release Configuration for a Policy in the CLM Server
11.14. Staging Repository Activity with a CLM Evaluation Failure and Details
14.1. Jenkins Global Configuration Menu
14.2. Global Configuration of Sonatype CLM for CI in Jenkins
14.3. Sonatype CLM Build Scan Configuration for a Build Step
14.4. Job Overview Page with a Link to the Application Composition Report
14.5. Left Menu with Link to the Application Composition Report
16.1. Eclipse Dialog to Install New Software with Sonatype CLM for Eclipse
16.2. Activating the Component Info View of Sonatype CLM for Eclipse
16.3. Warning after initial installation
16.4. Sonatype CLM for Eclipse Configuration Dialog
16.5. Example Component Info View
16.6. Details for a Component in the Component Info View
16.7. Properties of a Component for a Version Range
16.8. Filter Dialog for the Component Info View
16.9. Example Component Details Display
16.10. Migrating to a Newer Component Version
16.11. Applying a Dependency Version Upgrade
16.12. Selecting Dependency Version or Property Upgrade
16.13. Applying a Property Upgrade
17.1. SonarQube Overview
17.2. SonarQube Plugin Directory
17.3. SonarQube Settings Menu
17.4. SonarQube CLM Server Settings
17.5. SonarQube Sonatype CLM Configuration Menu
17.6. SonarQube Sonatype CLM Application Selection
17.7. SonarQube Configure Widgets Menu
17.8. SonarQube Search for CLM Widget
17.9. SonarQube Configure Sonatype CLM Widget options
17.10. SonarQube Sonatype CLM Widget Example
18.1. Application Overview and Application Identifier
18.2. Violations Report After an Evaluation
19.1. Creating a Maven Run Configuration for a CLM Evaluation in IntelliJ
19.2. Maven Projects View with the CLM Evalulation Run Configuration in IntelliJ
19.3. CLM for Maven Output in the Run Console in IntelliJ
19.4. Project View with the pom.xml in NetBeans
19.5. Maven Goal Setup for a CLM Evaluation in NetBeans
19.6. CLM for Maven Output in the Output Window in NetBeans