In March, we talked about improvements to the Nexus Lifecycle policy tools and waivers. This month we’ve taken another step forward with better policy and waiver controls. This update helps development teams manage open source software components more easily across their projects.
Nexus Lifecycle improves your development pipeline with management tools that enhance quality and speed delivery, all at scale. This release goes beyond Nexus Lifecycle’s advanced reporting to enhanced searching, and makes policies even more flexible within your existing development tools.
Sonatype Nexus helps ensure that teams are only using the safest and most legally compliant software components, but flexibility is key. Different teams inside your organization have different risk profiles that may justify unique policies.
Just about every organization has a diverse set of projects ranging from internal tools that don’t see the light of day, to crucial software exposed to the internet. For mission-critical application teams, smart and effective security notifications are part of the process. If those same notifications and policy enforcement are applied to internally accessed applications in use by small teams, it could unnecessarily delay releases.
You need smarter software that reacts to your team’s needs and requirements.
Policy enforcement override
Nexus Lifecycle now lets you override corporate policy settings when onboarding new projects to adapt policy enforcement to those specific projects. While providing this flexibility, policy waivers provide all necessary tracking to make sure that the right controls are maintained and nothing crucial is missed.
Policy Enforcement Override will enable customers to onboard applications at scale, while continuing to build software. You can choose to inherit some or all of the base controls, including current waivers and license standards (pictured below).
Sonatype’s Policy Override configuration screen
More controls for security waivers
While Nexus Lifecycle automates many features of the development process for better open source security, some decisions are fully human. The best software tools flag issues for developers within their workflow but without making demands. This keeps development teams in the driver’s seat, for example when a problematic software component:
- Is used within a carefully controlled environment
- Has no real alternative
With Nexus Lifecycle, security teams can permit developers to make exceptions, or Waivers, to set aside security and license alerts.
Example violation Waiver
Option to Waive All Versions
Teams can now create waivers not just for a specific release, but all versions. Current customers can access this by selecting All Components from the Add Waiver screen inside Nexus Lifecycle, as below.
Add waiver screen with the new “All Components” option
Waivers can still be issued for a limited time to ensure they are reviewed again, but a waiver can be created without expiration if necessary.
Screenshot of available Waiver timeframes
This helps address vulnerabilities in necessary component software that cannot be remediated. Waive All Versions helps developers by:
- Reducing distractions for known issues
- Freeing up energy spent on managing waivers for also-vulnerable versions
Advanced search enhancements
During the Log4Shell incident, security leaders wanted to quickly identify every instance of the Log4J component, including safe versions. To address this need, Nexus Lifecycle’s search tool now finds all components in your development lifecycle, not just those marked with a vulnerable status.
Other benefits to better search:
- Improve maintainability - showing developers what components the organization is already using
- Software categories - look at all software used in (for example) telemetry, logging, or authentication
- Resolve compatibility issues - find and resolve beyond just violations, looking at compatibility, less-than-ideal licenses, or yet-to-be-published CVEs
Advanced search prompt screen with available search tags
Search results view for the “Bouncy Castle” vulnerability
Customers can also export search results to a standard comma-separated spreadsheet. This can enable internal component audits, sharing with other teams, or creation of a software supply chain management checklist.
Export results option
More information and a demonstration of Advanced Search functionality from my.sonatype.com is in the video below:
All this functionality will be released in version 140 in early July, with the Release Notes updated upon release.
About Nexus Lifecycle
Nexus Lifecycle is a complete software supply chain management solution that works within your development pipeline. It empowers developers to find and fix open source security vulnerabilities at every stage of the software development lifecycle. Request a demo today for Nexus Lifecycle.