License threat groups, are simply groups of licenses, broken into categories of severity for the various types of licenses. They can help you to achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.
Their primary purpose is to serve as the data points for the License section of the application composition report. Moreover, they are a way to group risk, associated with licensing. By default, there are four license threat groups included with Sonatype CLM:
Consult with your legal department for EXACT definitions. Information provided above is from the following reference. |
An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat all the way up to 10). Unless you have specific legal recommendation / council, the default license threat groups will suffice, especially in the beginning.
If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.
There are two key ways to create a license threat group:
There is really no difference here, as both require that you have the organization or application open at the time of creation. The one advantage with using the Global Create button is that you can create no matter which tab of the currently selected organization or application you are in, whereas you will need to be on the License tab otherwise.
The following information needs to be completed before a license threat group can be saved.
On the left are licenses that are included in the license threat group. Click on a license to remove it.
+ On the right are the licenses that can be added the group. Click on a license to add it.
When everything is done your screen should look like Figure 9.4, “Creating a Label Condition” and you can click the Save button to finish.
A few things to remember:
In the example below a new condition for the license threat group, Banned Licenses, will be added to an new policy.
In our instructions, we’ve made an assumption that you understand how to create a policy.
In most cases, a license is associated with one or more License Threat Groups. However, it is possible for a license to have no association with any License Threat Group. You can create a Policy to detect when a component has a license that is not assigned to any License Threat Group.
In the example below a new condition for detecting components with licenses not assigned to any License Threat Group will be added to a new policy.
In our instructions, we’ve made an assumption that you understand how to create a policy.
A violation of the policy above can be remediated simply by assigning the license involved to a License Threat Group.
To remediate a specific component, use the Component Information Panel (CIP) License tab to set the license Status to Selected or Overridden, and then select a license that is associated with at least one License Threat Group. Managing component licenses is discussed further in the editing License Status and Information section of the Application Composition Report chapter.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia