In March 2022, we talked about improvements to the Sonatype Lifecycle policy tools and waivers. This month we've taken another step forward with better policy and waiver controls. This update helps development teams manage open source software components more easily across their projects.
Sonatype Lifecycle improves your development pipeline with management tools that enhance quality and speed delivery, all at scale. This release goes beyond Sonatype Lifecycle's advanced reporting to enhanced searching, and makes policies even more flexible within your existing development tools.
Customized policy
Sonatype Platform helps ensure that teams are only using the safest and most legally compliant software components, but flexibility is key. Different teams inside your organization have different risk profiles that may justify unique policies.
Just about every organization has a diverse set of projects ranging from internal tools that don't see the light of day, to crucial software exposed to the internet. For mission-critical application teams, smart and effective security notifications are part of the process. If those same notifications and policy enforcement are applied to internally accessed applications in use by small teams, it could unnecessarily delay releases.
You need smarter software that reacts to your team’s needs and requirements.
Policy enforcement override
Sonatype Lifecycle now lets you override corporate policy settings when onboarding new projects to adapt policy enforcement to those specific projects. While providing this flexibility, policy waivers provide all necessary tracking to make sure that the right controls are maintained and nothing crucial is missed.
Policy Enforcement Override will enable customers to onboard applications at scale, while continuing to build software. You can choose to inherit some or all of the base controls, including current waivers and license standards (pictured below).
Sonatype’s Policy Override configuration screen
More controls for security waivers
While Sonatype Lifecycle automates many features of the development process for better open source security, some decisions are fully human. The best software tools flag issues for developers within their workflow but without making demands. This keeps development teams in the driver's seat, for example when a problematic software component:
- Is used within a carefully controlled environment
- Has no real alternative
With Sonatype Lifecycle, security teams can permit developers to make exceptions, or Waivers, to set aside security and license alerts.
Example violation Waiver
Option to Waive All Versions
Teams can now create waivers not just for a specific release, but all versions. Current customers can access this by selecting All Components from the Add Waiver screen inside Sonatype Lifecycle, as below.
Add waiver screen with the new "All Components" option
Waivers can still be issued for a limited time to ensure they are reviewed again, but a waiver can be created without expiration if necessary.
Screenshot of available Waiver timeframes
This helps address vulnerabilities in necessary component software that cannot be remediated. Waive All Versions helps developers by:
- Reducing distractions for known issues
- Freeing up energy spent on managing waivers for also-vulnerable versions
More on Sonatype Lifecycle Enhanced Policy Waivers
Advanced search enhancements
During the Log4Shell incident, security leaders wanted to quickly identify every instance of the Log4j component, including safe versions. To address this need, Sonatype Lifecycle's search tool now finds all components in your development lifecycle, not just those marked with a vulnerable status.
Other benefits to better search:
- Improve maintainability - showing developers what components the organization is already using
- Software categories - look at all software used in (for example) telemetry, logging, or authentication
- Resolve compatibility issues - find and resolve beyond just violations, looking at compatibility, less-than-ideal licenses, or yet-to-be-published CVEs
Advanced search prompt screen with available search tags
Search results view for the "Bouncy Castle" vulnerability
Customers can also export search results to a standard comma-separated spreadsheet. This can enable internal component audits, sharing with other teams, or creation of a software supply chain management checklist.
Export results option
More information and a demonstration of Advanced Search functionality from my.sonatype.com is in the video below:
"Have you Heard" Advanced Search video.
All this functionality will be released in version 140 in early July, with the Release Notes updated upon release.
About Sonatype Lifecycle
Sonatype Lifecycle is a complete software supply chain management solution that works within your development pipeline. It empowers developers to find and fix open source security vulnerabilities at every stage of the software development life cycle (SDLC). Request a demo today for Sonatype Lifecycle.
