At its core, Sonatype CLM uses policies to manage component usage. Policies provide automated guidance and enforcement throughout the software lifecycle, allowing for direct, stage-appropriate actions. For example, developers can be warned early in the IDE with little consequence, while applications, ready to be released, can be failed to protect production systems. Since policy actions are automated, policy designers can focus their time and effort on designing optimal criteria which application components should meet.
But, what’s the best approach for someone just getting started, or even seasoned policy management veterans? As you might have guessed, simply setting builds to fail and hoping for the best could be disastrous for production velocity.
As a best-practice approach, we recommend that you start your policy management using an audit process. Perform a few policy tests to see how an application, or applications, will react to a proposed policy, prior to vetting it against your entire development organization. This avoids ratcheting up threat detection or actions too quickly, since developers can be overwhelmed by a list full of red, or other high threat level colors.
With the latest Sonatype CLM release (v 1.5), all of this is possible. Here are some of the latest enhancements.
Policy Import & Export Sonatype - CLM supports the ability to import and export policies. To get you started, we provide a set of default policies that can be imported. Once you have modified these policies to suit your needs, you can export and import them to manage additional projects or support other teams.
Policy Validation / Re-Evaluation - Waiting for a project to rebuild before you can see the impact of policy, can be a time consuming process. Doing that for each policy change makes it even more difficult. For these reasons, Sonatype CLM now provides the ability to validate policies based on application data. CLM also supports the ability to refresh the policy analysis at the CLM Server or Report level, allowing you to measure the effect of policy modifications or triage work.
Informational Threat Level - A new policy threat level (color code blue, numeric level one) allows you to distinguish informational items from items that require action. This can be used to inform the developer or others of items that may require action in the future. This approach also eliminates noise that may impact developer work and provides an option for policies that can encourage behavior without an enforcing action.
Claiming Unknown Components and Global Proprietary Package Support - Sonatype CLM supports all types of components - known components downloaded from the Central Repository, custom components that you have developed, unknown components from external sources, etc. It's important to be able to differentiate between these component types and to create boundaries that can be used to manage them effectively. In this release, we’ve added the ability to claim any component that isn’t an exact match to one in Central. We also provide the ability to define proprietary packages a global level, for all applications in your organization.
Additional Updates -
- Delete Application ID - Application IDs aren't forever, so now you can delete them... forever.
- Editable Reports (CLM Server) - You told us that you'd prefer the ability to edit report directly on the CLM Server, and now you can.
- Bug Fixes - Several minor bug fixes are included in this release.
That’s not all though. There's even more to come for policy and application management. In upcoming releases we’ll be including the ability to manage policies using hierarchical organizations, with inheritance for applications within the same organization.
The official release notes are here.
For download and installation instructions, check here.
As always, if you have ideas, questions, feedback about policy related enhancements, please let us know.
The Sonatype CLM Team
