Documentation Nexus IQ Server 1.23

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

13.2. Understanding Repository Results

The Repository Results are displayed on IQ Server. They contain detailed information about policy violations and the components that violated those policies, as well as components that don’t have violations.

figs/web/repo-results.png

Figure 13.15. Repository Results


At the top of the Repository Results view (shown in the figure above) is a summary section with the following information:

  • A count of components that were identified and scanned in the selected proxy repository.
  • A percentage of scanned components that are identified.
  • A count of policy violation alerts displayed by threat level.
  • A count of components affected by policy violations.
  • A count of quarantined components.

Below the summary section is a list of policy violations and the components that violated those policies. By default, this information is ordered by the highest policy threat level. You can refine the list using one of the following filter categories:

Filter
  • All - Every component in the proxy repository.
  • Exact - Components in the proxy repository that have an exact match to a component known to IQ Server.
  • Unknown - Components in the proxy repository that have no exact match in IQ Server and cannot be identified.
Violations
  • Summary - The most severe policy violation of each component.
  • All - Every policy violation and the components that violated those policies. A component may appear more than once, if it violated multiple policies.
  • Quarantined - Components that are prevented from being served by the proxy repository because they violate policy.
  • Waived - Only policy violations that have been waived.
[Note]

You can update the audit results for the entire proxy repository by clicking the Re-evaluate Policy button in the upper right corner of the Audit View. This is useful especially after an associated policy is added or modified on IQ Server. However, it may take some time, if the repository is large.

During re-evaluation any previously quarantined components remain quarantined, no matter whether they still violate policy.

With quarantine enabled, if you delete a quarantined component, its quarantine status is also deleted. If you add the component back in, it is evaluated again just like any new addition to the repository. Currently the only way to remove a component from quarantine is to change the policy accordingly, then delete and add back the component.

Also, whenever you add or delete a component in the proxy repository, the audit results are automatically updated for the individual component only (not the entire repository).

13.2.1. Using the Component Information Panel (CIP)

When you click an individual component in the Repository Results, the Component Information Panel (CIP) opens with the Component Info tab displayed.

Component Info

This tab contains the same granular details about an individual component as the Component Info tab in Nexus Repository Manager. For an explanation of those details, see Component Info earlier in this chapter.

figs/web/audit-view-component-info.png

Figure 13.16. The Component Info Tab


Policy

The Policy tab displays all policies that were violated by a component. Here you can see the name of the policy that has been violated (and any action that was taken), the name of the constraint that has been violated, and the value that was found.

While the Policy/Action and Constraint names are straight forward, the Condition Value may be a little confusing at first. A condition is simply the if part of an if/then statement. If a certain condition value is found which is equivalent to a condition being met, then the policy will be violated. E.g. if we have a policy that has a condition such that if a security vulnerability is found, our Condition Value column would indicate, Found x Security Vulnerabilities. In the same regard, Constraints are simply multiple conditions joined together.

The Policy Tab. image::figs/web/audit-view-policy.png

Licenses

The Licenses tab displays all Effective licenses, any licenses identified as declared by the author of the component, as well as any license found during the scan of the component source code. It also allows you to override the Effective license. To do this:

  1. Select the Scope of the override
  2. Select the Status
  3. Select one, or more, of the License(s)
  4. Optionally, but advised, provide a Comment
  5. Click Update
figs/web/audit-view-licenses.png

Figure 13.17. The Licenses Tab


Vulnerabilities

The Vulnerabilities tab displays all security vulnerabilities related to a component. The list of vulnerabilities is sorted by Threat Level from higher to lower risk. The Problem Code column displays unique identifiers obtained from security information web sites such as CVE and OSVDB. The Info button provides additional information about each security vulnerability. Lastly, the Status column tracks the state of your research regarding the vulnerability.

figs/web/audit-view-vulnerabilities.png

Figure 13.18. The Vulnerabilities Tab


If desired, you can change the security vulnerability status of a component in a proxy repository. This can help you keep track of your research when you investigate any security vulnerabilities identified by IQ Server.

To change the security vulnerability status of a component:

  1. In the Repository Results, click a desired component to open the Component Information Panel (CIP).
  2. Click the Vulnerabilities tab.
  3. In the list of vulnerabilities on the left, click one to select it.
  4. In the Status list on the right, select one of the following settings:

    • Open - The security vulnerability has not been reviewed; no research is under way.
    • Acknowledged - The security vulnerability is under review.
    • Not Applicable - The security vulnerability has been researched and deemed as having no effect on the repository.
    • Confirmed - The security vulnerability has been researched and deemed as valid and applicable.
  5. Click Update to save the changed setting.

Labels

The Labels tab displays any component labels that have been defined previously at the root organization level on IQ Server. Component labels are metadata that is assigned to a component within the context of a particular application or organization.

figs/web/audit-view-labels.png

Figure 13.19. The Labels Tab


Assigning a Label

When assigning a label, you will only see labels defined on the root organization.

To assign a label:

  1. Click a component you wish to assign a label to. The Component Information Panel (CIP) is displayed.
  2. Click the Label option from the CIP menu. Two boxes are displayed:

    • The Available box on the left displays all labels.
    • The Applied box on the right displays labels that have been assigned to the component.
  3. Click the button on the right side of a label to move it to the opposite side. You can hover over a label to view its description.
  4. Click on the + button on the right side of a label in the Available list to assign the label to the component.
  5. Click on the - button on the right side of a label in the Applied list to remove the label from the component.

When applying a label, you have the following options:

  • Assign label for a repository
  • Assign label for All Repositories
  • Assign label for all within the Root Organization

13.2.2. Waiving Repository Policy Violations

Policy violations for components found in your repositories can be waived with a number of options for the scope and target of the waiver. As with all features, make sure to verify you have the appropriate level of access provided by the role you have been assigned.

[Note]

Waiving policy violations for components in your repository is different than waiving for an application. See Section 11.9.2, “Adding a Waiver” for additional information on waiving components at that level.

Waive Policy Violation
  1. From within Nexus Repository Manager select a repository that has been evaluated.
  2. Click the IQ Policy Violations count for a repository. This will open the Repository Results hosted on IQ Server.
  3. Click a component that has a policy violation. This will expand the row to display the Component Information Panel (CIP).
  4. Click the Policy tab within the CIP to display the current policy violations for the selected component.
  5. Click the Waive button next to the policy violation you wish to waive.
  6. A dialog is displayed with the following settings:

    1. Determine the scope of the waiver:

      1. Repository selected repository [default]
      2. All repositories
      3. Organization Root Organization (This is displayed only if you have the appropriate level of access.)
    2. Determine the targeted component of the waiver:

      1. Selected component component name [default]
      2. All components
    3. Comments - Add a brief note if desired.
  7. Click the Waive button to complete the waiving process.
figs/web/audit-view-policy.png

Figure 13.20. Waiving Policy Violations


View/Remove Existing Waivers
  1. From within Nexus Repository Manager select a repository that has been evaluated by IQ Server.
  2. Click the IQ Policy Violations count for a repository. This will open the Repository Results hosted on IQ Server.
  3. Just above the list of components, you will see three options in the Violations filter. Click Waived, and then click one of the displayed components.
  4. Click the Policy tab within the CIP to display the current policy violations for the selected component.
  5. Click the View Existing Waivers button located above the list of policy violations. The Component Waivers dialog is displayed.
  6. If you wish to remove a waiver, click the Remove icon (shaped like a minus sign). A confirmation dialog is displayed. Click the Remove button to remove the waiver.
figs/web/repoman-view-waiver.png

Figure 13.21. Waiving Policy Violations


[Note]

Waivers will not be applied until a re-evaluation of the Repository Results has occurred. This will occur automatically if the targeted component is left to the default settings (i.e. not set to All). In cases where the selected component is set to All, a manual re-evaluation will need to occur for any results previously applying the violation.