Sonatype CLM APIs are versioned. This document represents a deprecated version (v1) and we highly recommend updating to the latest version of Sonatype CLM and using the latest version of this API. |
The Policy Violation REST APIs for Sonatype CLM allow you to access and extract policy violations gathered during the evaluation of applications by the Sonatype CLM Server. In most cases the desire for getting to this data is to integrate into other tools your company may have. For example you may have a specific dashboard or reporting application that should have this data.
Whatever the case, just as with other Sonatype CLM APIs, this is all done using Sonatype CLM REST API calls. For the accessing policy violation information the following API is used:
As mentioned previously, we will provide both the API, as well as exampled using the HTTP client CURL. This is only for demonstration purposes and displaying the necessary input, and desired output.
Additionally, to help demonstrate this, we’ve approached this in a step-by-step manner that will start with gathering policy ids, and then requesting the violations.
Before You Get Started. As with other Sonatype CLM REST APIs, you will need a username and password to interface with Sonatype CLM. In addition, because access to this data is granted based on the roles (permissions) you have set up, you may wish to create one specifically for this process.
Other than this, the only piece you may need in order to follow along with our instructions is CURL, or a comparable HTTP client.
Step 1 - Get the Policy IDs. To access policy violation information you need the Policy ID(s). For this reason, we start with the GET API call…
GET /api/v1/policies/
which will return a list of all Policy IDs. To follow along using CURL, enter the following command:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v1/policies'
The action above will produce a list of your policies in a JSON format. Here is an example of what might be returned.
{ "policies": [ { "id": "6984017845c645b0ad0c95401ad4f17d", "name": "My Application Policy", "ownerId": "36d7e629462a4038b581488c347959bc", "ownerType": "APPLICATION", "threatLevel": 5, "policyType": "quality" }, ] }
As you can see above, we’ve used the admin user which is shipped with Sonatype CLM, as well as the default server location. The user you use may differ depending on your configuration. |
In many cases, you will have many policies, especially if you are retrieving information for an account that has access to many applications and/or organization. |
Step 2 - Get the Policy Violations. Now that you have the Policy IDs, they can be used to gather a list of policy violations. To do this, you will need the Policy IDs you retrieved from step one. For example:
id": "6984017845c645b0ad0c95401ad4f17d"
Policy IDs are unique, and thus in the example above, specific to our installation of Sonatype CLM. |
Slightly different from before, we will use the GET API call…
GET /api/v1/policyViolations?p=policyid1
which passes a simple query for Policy IDs. For each policy we want to retrieve violations for, we will include that ID. If desired we can retrieve violations for multiple Policy IDs. To do this, just make sure you add &p="The Policy ID" for each policy you want included. Here is an example of the API with the Policy ID we retrieved:
GET /api/v1/policyViolations?p=6984017845c645b0ad0c95401ad4f17d
Putting this all together, and using our CURL example, you should enter the following command:
curl -u admin:admin123 -X GET 'http://localhost:8070/api/v1/policyViolations?p=6984017845c645b0ad0c95401ad4f17d'
If your query was successful, the system will respond with something like this:
{ "applicationViolations": [ { "application": { "id": "529b7f71bb714eca8955e5d66687ae2c", "publicId": "MyAppID1", "name": "MyApplications", "organizationId": "36d7e629462a4038b581488c347959bc", "contactUserName": null }, "policyViolations": [ { "policyId": "6984017845c645b0ad0c95401ad4f17d", "policyName": "Security-High", "stageId": "build", "reportUrl": "ui/links/application/MyAppID1/report/c0ddefc4512f42d0bcbe29029e2be117", "constraintViolations": [ { "constraintId": "19011de290b147a38c820ad7bd5c653d", "constraintName": "CVSS >=7 and <10", "reasons": [ { "reason": "Found 2 Security Vulnerabilities with Severity >= 7" }, { "reason": "Found 4 Security Vulnerabilities with Severity < 10" }, { "reason": "Found 4 Security Vulnerabilities with Status OPEN" } ] } ], "mavenComponent": { "hash": "384faa82e193d4e4b054", "groupId": "commons-fileupload", "artifactId": "commons-fileupload", "version": "1.2.1" } } ] } ] }
And there you have it, you’ve just retrieved policy violations. Below, each of the categories of data that is returned, as well as each field, have been described.
This category contains specific information about the application.
This is a subcategory of the application, and provides specific information about the policy and corresponding violations that were found.
This is a subcategory for Policy Violations, and includes all information related to specific constraint that was violated.
This is a subcategory of Constraint Violations, and gives the reason why the violation occurred.
The Maven Component is a subcategory of Policy Violations, and includes information about the component(s) causing the violation to occur.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia