Policy-Centric Application Report Feedback and Discussion

An upcoming release of the Nexus IQ Server will feature a preview of the new Policy-Centric Application Report. Feedback and discussion about this new user interface can be posted here.

Please do not replace the Security Issues view with this new report. It will break our process flow for application security meetings. The way the information is presented in the current security issues is one of the best available for products in this field and is one of the major reasons we purchased this product over competitors.

The current Security issues report clearly shows the CVE and status. Then the CVE details and component info are just a single click away. With the new report, CVEs details are much more buried and take 4 clicks to get to and the status of each item is not viewable on the report without clicking each individual entry.

Currently we pull up the Security Issues report on remote meetings and use that to guide discussion. It works great and is one of our favorite features of the product. This new proposed format, if it replaces the Security Issues report, will not be usable in its current form for our meetings.

Please do not take way functionality that is heavily used just to introduce a more C level friendly view. Remember real technical people use these reports and screens and do not benefit from technical information being hidden from them.

1 Like

Hi Peter,

Thank you for taking the time to leave your feedback on the policy-centric report redesign. Totally understand your concerns about the security issues view, and wanted to assure you that you’ll still be able to access that info through the “Options” menu as “Raw Data” - available in an upcoming release. I added a mockup of what this will look like.

The new default view of the report is meant to easily answer which policy violations occurred for that evaluation. The security info you’re referencing can still be used to audit your findings.

We have a guide available that goes over what’s in the new report, so please check that out for more info: Policy-Centric Application Report - Sonatype Guides

Yeah, that’s not the same report and doesn’t display the same fields (where is status?). Why are we getting rid of a view that already works well? I understand
wanting to add additional views, but why get rid of what your customers have already built their processes around? This is not only disruptive, but also disrespectful of the time and effort we have put in to integrate your products into our appsec program.
I just really don’t want to see this product go the way of so many others where they chase sales by trying to appeal to management and C level while leaving behind the actual end users of the application.

Thank you,

Peter Hession, CISSP

Security Analyst

Information Security Team

CBC Companies Inc.

1 Like

How do we opt out of getting the Application Report’s new policy centric look? I need to be able to quickly see what I have for Security Issues and for License Issues. This new page displays a ton of mostly useless information and it will take me more time to get to the information that I need.

What I need is a list of Security Issues (showing what has been waived) and a separate list of License issues.

Do I need to start looking for different tools that will provide me with the information that I need to get my job done?


I agree, this new report format will make it much harder to get the information I need to quickly review Security and License issues with my projects.

I like the new format but I would like to see the status in the report and be able to filter on status so that I can see what issues have been reviewed and adjudicated and which have not and their status.

1 Like

When you click on a vulnerable library and it brings up a dialog, can you make the dialog movable? Fixed location dialogs are super user unfriendly.

On the POLICY tab in this dialog, most of the entries have a duplicate row like:
Found security vulnerability sonatype-2017-0312 with severity 8.5.
Found security vulnerability sonatype-2017-0312 with severity 8.5.

Can you eliminate that unnecessary duplication?

Hi Dave, thank you for the feedback!

Noted the fixed dialog issue.

We are aware of the duplicate entries in the policy tabs. Those correspond to different conditions - common scenario when you have conditions like

  • Security Vulnerability Severity >= 7
  • Security Vulnerability Severity < 9

Ideally we should include Condition Summary to fix that duplication. This should be addressed in the future in the new violation remediation functionality.

The status information is absolutely neccessary for our project teams. So it should be shown in the old or new report. Currently, all our teams prefer the old report format!

Please think about whether it is possible to show columns (attributes) via configuration. So that the one who needs for example status can show it.