Policy violations are key to managing, understanding, and remediating open source risk across your organization’s applications. The more awareness you have around your violations - associated components, violation severity, etc. - the easier it is to reduce your overall business risk.
Sonatype has been working to improve your access to policy violation information in Nexus Lifecycle by simplifying and increasing accessibility to how you review and access your policy violation information.
In IQ Server release 94, policy violation information is now directly accessible from your main dashboard, as seen below. Everything you need to know in order to remediate violations will be on this page. We’ve reduced the amount of time it takes for you to find this information, as well as have provided all remediation guidance in one place, so you spend less time researching how to fix the issue and more time taking remediation actions. Take a look below.
Navigating the Policy Violations Page
This new view provides a much easier, at-a-glance means to review emerging policy violations within your applications without having to dig deep into a specific report. As a user, you can leverage the filters from the dashboard page to identify where you want to focus and then access the known information about that violation in a single click. The filters applied from the dashboard will also remain persistent allowing you to toggle through other violations that were captured by the filters.
-
Navigation Panel - Easily toggle between multiple policy violations for components or applications, depending on what dashboard filters.
-
Violations Overview - This summary section shows the history and cross-stage emergence of a given policy violation. For each report that has been configured by stage, links will allow the user to access the most recent Application Report that has the policy violation identified within it. The ‘Root Organization’ link directs you to the ‘Orgs and Policies’ tab.
-
Vulnerability Details - View details about a given policy violation - specifically CVE descriptions and remediation recommendations.
Example Workflow:
You’ll want to use the Policy Violations Details page to see everything about a given policy violation in one view - constraints, security vulnerability details, etc. - without having to do a deep-dive into the actual bill of materials.
After completing a scan, go straight to your Nexus Lifecycle dashboard to review emerging policy violations. From here, apply your necessary filters (these will carry those violations over so you don’t have to toggle back and forth between pages) and then click any row within the table to access the new page. This will put the details about the policy violation directly at your fingertips, helping to save time searching for a given report.
What ecosystems does this cover?
The violations details page covers all currently available ecosystems. Find a list of all of our supported ecosystems here.
How does this compare to the Component Information Panel (CIP)?
This page is separate from the CIP but will contain some of the same information, just all localized in one place. The CIP will still be accessible as normal.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.
Additional Resources: