This release represents a variety of improvements that came directly from customer requests. From adding improved API support and a new UI for viewing organizations and applications, there’s a little something for everyone. We even took the opportunity to update the way certain policy condition situations are handled. The summary of improvements is listed below, followed by details and links to the updated/new documentation.
To resolve situations where policy violations for components with more than one security vulnerability were produced, the evaluation for conditions about security vulnerabilities has been revised. Going forward, in situations where a constraint has multiple conditions, and all must be satisfied to trigger the constraint, if there are multiple vulnerabilities for a component, at least one vulnerability must meet all vulnerability-related conditions.
As a result of this change, some of the policy violations related to vulnerabilities that you observed in the past will resolve themselves after reevaluation with the new version of Sonatype CLM.
To better illustrate the expected changes, consider a component with two vulnerabilities, one with severity 9 and status Not Applicable and one with no severity and status Open. When evaluated against the Sonatype sample policies, prior versions of CLM reported violations of the Security-Unscored, Security-Low, Security-Medium and Security-High policies. After the update, only the Security-Unscored policy will be violated.
This new API allows you to gather information about any component known to Sonatype CLM. The details provided won’t list policy violation information (that’s already covered with the Component Details by Report API). To learn about this new API and see a working example, check out the latest update to our API documentation.
To prevent unwanted attacks via cross-site request forgery, a new configuration item was added. This is set to true by default. For more information on this configuration item, please see the section on CSRF Protection in the Nexus IQ Server Chapter.
In the Managing Organizations and Applications area of Sonatype CLM Server, the navigational list has been changed to a tree view in order to improve the display of organizations and applications and their parent-child relationships. A filter box has been added to allow for easy searching and filtering of organizations and applications by name. For more information, see the Organization and Application Management Chapter.
The Sonatype CLM Server now supports additional configuration options for reverse proxy authentication for single sign-on (SSO). For more information, please review the Reverse Proxy Authentication section in the Nexus IQ Server Setup chapter.
To reduce the delay in reconnecting to an LDAP Server when a connection is lost, the default value of the Retry Delay setting has changed from 300 seconds (5 minutes) to 30 seconds. If you want a different reconnection interval, you can manually change this setting in the LDAP Administration area of Sonatype CLM Server. For more information, see the Configuring the LDAP Server Connection section of the Sonatype CLM - Security Administration chapter.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia
