Documentation Nexus IQ Server 1.28

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

11.3. Results

The Results area displays risk information based on the state a policy was in at that time of the most recent evaluation, while information regarding the age is taken from the fist occurrence of the violation. If policy changes have been made, and a new evaluation has not been conducted, the changes will not be reflected in the currently displayed information.

The Results area provides several views of risk information, each of which is described below:

  • Policy Violation Trends
  • Violations
  • Components
  • Applications

11.3.1. Policy Violation Trends

At the top of the Results area, the View menu contains a Calculate Trends command. Calculate Trends opens a Policy Violation Trends dialog displaying policy violations trends that match your current filter.

[Note]

Calculating trends can take some time depending on the number and size of evaluations that match.

The purpose of Policy Violation Trends is to provide a quick, twelve-week look at how risk is entering your applications, and how you are handling that risk. The information is divided into four categories, with each category having four metrics over a twelve-week period.

Trend Categories
Pending

A policy violation that has been Discovered, but not yet Fixed or Waived, is Pending.

[Tip]

Reducing the number of pending violations is a critical task. Weekly deltas above the x-axis indicate there were more discovered violations than those fixed; green bars below the x-axis represent more violations were fixed than discovered.

Waived

This represents a count of policy violations that have been waived. This count is not included in Pending or Fixed, but is included in Discovered.

[Note]

For more information on waivers, see the Waivers section of the Application Composition Report chapter.

Fixed

A policy violation is Fixed when it no longer exists in any stage.

[Note]

When determining the Fixed state of a component, any filtered stages are not considered. That is, if you exclude a stage where a violation has occurred, the count for fixed may increase even though the violation is still present in the other stage.

Discovered
A policy violation is considered Discovered when it has been observed for the first time.
Policy Summary Metrics
Count
the total (all-time) count for the category.
AVG
the average age of violations in the category
90%
indicates 90 percent of violations have been in the category less than this time.
Delta
the count for the current week (week twelve), over the first week.
Weekly Deltas
the visual representation of each week’s unique delta.
12 Week Trend
the trend over twelve weeks.
[Tip]

It is not uncommon to see discovered violations trend upwards steeply, especially in the early phases of your implementation, and then plateau as you start developing a better component consumption process. Using your mouse to hover over values in the graphs will display the individual values for each week.

11.3.2. Violations

Violations is the default view for the Dashboard. It displays the first one hundred, newest component violations found in your applications. The data in this view can also be adjusted using the filters, and is organized into a number of columns and rows. These have been described below.

[Note]

A violation is only considered new the first time it is discovered, even if it is found in different stages. For example, if a violation is found at the first of the month during an evaluation at the Build stage, and then again at the end of the month at the Release stage, only the occurrence at the build stage is considered new.

Threat
The assigned threat level of the violated policy.
Policy
The name of the policy violated.
Application
The name of the application the component violating the policy was found in.
Component
The identifying information for a component. For known components, all available coordinate information will be displayed, while unknown components will have the filename. Clicking on the component will display the Component Detail Page.
Age
Displays the age of the violation based on the most recent date it occurred.
Latest Report
Links to the latest available report.

11.3.3. Components

The Components View displays the first 100 highest risk components based on any filters that have been set and your level of access. Risk is represented in several ranges (Total, Critical, Severe, Moderate and Low).

To calculate the total risk for each component, the threat level of all policies the component has violated are added together. In other words, component risk is the sum of policy violation threat levels for the component. A similar calculation is done for each risk range.

Now, this may leave you wondering, "What about the duplication of violations across stages, or even in the same stage?"

Good question.

For all calculations, a violation is only counted once. When there are multiple instances of the same violation, only the most recent occurrence is counted, regardless of stage. Because of this, in cases where a policy has been changed in between evaluations, the violation from the latest evaluation will be included. This will be true, even if the change to the policy included threat level.

Now, let’s take a look at each individual column, which has been described below.

Name
The identifying information for a component. For known components, all available coordinate information will be displayed, while unknown components will have the filename. Clicking the component row will display the Component Detail Page.
Affected Apps
The sum of applications that are affected by a policy violation due to this component.
Total Risk
The sum of the threat level for each policy the component has violated. In cases where the same violation is found in multiple stages, only the newest violation is included in this total.
Critical
The sum of the component’s policy violations with a threat level of eight or higher.
Severe
The sum of the component’s policy violations with a threat level higher than three, but less than eight.
Moderate
The sum of the component’s policy violations with a threat level higher than one, but less than four.
Low
The sum of the component’s policy violations with a threat level of one.

11.3.4. Applications

The Applications view displays the first 100 highest risk applications based on any filters that have been set, and your level of access.

Like a component, risk for an application is associated with the threat level of a policy. In the case of application risk, it is the sum of policy threat levels that correspond to unique policy violations for the components in an application.

This produces a total count by stage. The unique occurrences are then added together to create the total risk of an application. Put another way, application risk is the sum of all unique policy violation threat levels across all stages and policies the application is evaluated against.

Similar to the By Component view, for all calculations, a violation is only counted once. When there are multiple instances of the same violation, only the most recent violation is counted, regardless of stage. Because of this, in cases where a policy has been changed in between evaluations, only the violation from the most latest evaluation will be included. This will be true, even if the change to the policy included threat level.

In the Applications view, risk is broken down into six columns described below.

[Tip]

Click the stage name to see the most recent Application Composition Report for the corresponding application and stage.

For additional detail, take a look at the descriptions of each column below.

Application
The name of the application is displayed here. Click the expand icon (the small triangle icon), to display the results for each stage.
Total Risk
The sum of the threat levels for all policy violations in the application. In cases where the same violation is found in multiple stages, only one violation is included in this risk score.
Critical
The sum of policy violations in the application with a threat level of eight or higher.
Severe
The sum of policy violations in the application with a threat level higher than three, but less than eight.
Moderate
The sum of policy violations in the application with a threat level higher than one, but less than four.
Low
The sum of the component’s policy violations with a threat level of one.
[Tip]

Remember, if your filters exclude data in any of these categories, this information will not be displayed.