Sonatype CLM - Release Notes
The information provided below represents the updates provide with the 1.7 release. All improvements listed here, are also part of the latest release.
![[Important]](images/icons/important.png){kind=icon}
|
|
|
One of the key enhancements related to this release is the addition of Security Administration (User Accounts and Roles). For those upgrading from a previous version, please see specific instructions below. |
One of the most requested features found in version 1.7 of the Sonatype CLM Suite, is Security Administration. Going forward, Sonatype CLM no longer allows anonymous access in Sonatype CLM for IDE. In addition, access to reports directly in the Sonatype CLM for CI interface is no available. To provide a more secure environment, these reports are now exclusive to the Sonatype CLM Server, and will require a user name and password to login. However, a link to these reports is still provided within the native Hudson and Jenkins environment.
If you are upgrading from a previous version, you will need to add a specific line to your current config file, under the loggers: area.
Line to Add
"org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter": INFO
After adding, your config should look like this:
loggers:
"eu.medsea.mimeutil.MimeUtil2": INFO
"org.apache.http": INFO
"org.eclipse.jetty": INFO
"org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter": INFO
![[Warning]](images/icons/warning.png){kind=icon}
|
|
|
Failure to add this line to your config.yml file will result in credentials being published to the Sonatype CLM log file and is considered insecure. |
One of the available actions for Sonatype CLM is the ability to send an email with the most recent results of the application composition report. However, in some cases an invalid email resulted in an error. Sonatype CLM will now check for a valid email address, and if an invalid email is found, the policy will not be evaluated, and an error will be generated. The errors will be displayed in the logs of the CLM Server.
To address the error, simply correct the email address that is indicated as invalid.
- Security Administration
-
In previous versions of Sonatype CLM, all access was anonymous. That is, anyone with access to the Sonatype CLM server, or the add-ons for various enforcement points (e.g. Sonatype CLM for CI and IDE), would have full access to all Sonatype CLM functionality. This is no longer the case with the latest version of Sonatype CLM.
However, this isn’t merely the addition of user names and passwords, administrators and managers now have access to a wide range of security features. This includes:
- Internal (CLM) Realm Support
- Support for LDAP (including users and groups)
- Separate roles for developers, organization owners, and administrators
- Required authentication from Sonatype CLM for IDE
- Required authentication when viewing reports from Sonatype CLM for CI
![[Tip]](images/icons/tip.png){kind=icon}
|
|
|
When configuring LDAP, static groups are preferred over dynamic ones, and will generally perform better if you have a large number of LDAP users. |
For a full walkthrough of all Security Administration, and guidance in setting up these features, please review our Security Administration Guide.
- New Trending Report
- Reviewing violation results via the Application Composition Report is at the heart of ensuring your policies produce violations that match the goals of your business. However, understanding how things are shaping up over time has been more of a manual process.
The New Trending Report changes this. Now, you can see the progress you are making in reducing your usage of components that introduce risk into your organization. This report will look over results from the last twenty days, and then provides a summary of your policy violations and components.
There’s a lot more to this report though, read all about it in the Trending Report section of our ReportsGuide.
- Policy Import
- While the ability to import policies has been a supported function for some time, the process was manual, and in many regards cumbersome. This has now been completely updated and has user interface updates to make things even easier.
If you are looking to import policy into an organization or application, our new Policy Management guide has everything you need.
- Component Search
- For many users, most in fact, a component exists in multiple applications. However, understanding which applications that component is in, is not provided by reviewing a single report. To address this, users now have access to this information. All you need an API request through a service such as Curl, and you can send a query for identifying which applications contain a specific component.
For more on this feature, review our Knowledge Base article, How can I see in which applications a component is found?
- General Enhancements
-
A number of improvements have been made to the way users interact with Sonatype CLM from policies to the existing reports. This includes:
- Label description and color is now provided during policy creation.
- Policy Violations are now included as part of the Application Composition Report PDF.
- Claimed components can now have their license information manually overridden.
- GAV coordinates are now included as part of the Nexus RHC data.
- Various bug fixes, and data updates.
- Documentation Update
- As you’ve seen throughout these notes, a number of new guides have been created. We encourage you to review all of our documentation for Sonatype CLM. Head there now, and let us know what you think.