How does this change benefit my organization?
What is the impact of these improvements to my organization?
IMPORTANT NOTE: When new policy violations are triggered, any enforcement actions (warn/fail) configured to that policy will also be triggered. For example, if a “Fail” action is configured for the Build Stage, developer builds will fail.
What are the proactive measures to help prepare for the update?
Since all application scans occurring on or after June 25th, 2018 will receive the new results, here are a few recommendations on how best to prepare:
Consider disabling enforcement actions across your policies to provide each team sufficient time to assess the new findings prior to failing a development stage.
Since this update includes both expanded coverage of new data and enhanced accuracy of existing data, it will be difficult to compare the new report to an old one. For a list of the new policy violations, resulting from the update, simply configure policy notifications. Since notifications only include new violations, this approach will ensure the recipient will receive a notification that lists each of the new policy violations for a given application resulting from the update.
Export a snapshot of the Dashboard View Application Tab to provide high level comparison following the update. To increase the filter to include more than 100 applications in the export, refer to this KB Article.
Can I reevaluate all applications at once?
In the case where applications are built infrequently, resulting in a time gap between scans, it may be beneficial to initiate a “Reevaluate” of applications from the Administrator port.
This will first require Continuous Monitoring is configured for all applications in scope.
You can then trigger continuous monitoring to manually run immediately by issuing the following request to the IQ Servers administrative port (default is 8071):
$ curl -X POST http://localhost:8071/tasks/triggerPolicyMonitor
The following response will indicate it is complete: Completed manual Policy Monitor execution
You will need access to the administrative port used for IT debugging and operations, not the usual IQ Server administrator role.
IMPORTANT NOTE: The IQ Server may experience a temporary performance impact in cases where Reevaluate is triggered across a large number of applications. We advise planning this for a period of downtime or decreased developer activity.
How often does Sonatype provide these data updates?
Utilizing a combination of automated and in-depth manual research, Sonatype Data Research provides continuous updates made immediately available to all IQ Server instances through Sonatype Data Services.
Given the complexities, when necessary, Sonatype will provide significant updates outside of the aforementioned continuous process. In these exceptional cases, we take care to inform you by providing an explanation of the update, sufficient lead time to communicate across your organization, and proactive guidance on how best to prepare.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.