Skip to main content

Bulk Waivers

The Bulk Waivers feature allows users to efficiently create waivers for multiple policy violations simultaneously within Sonatype Lifecycle. This feature streamlines waiver management, improves consistency, and reduces the time required to handle policy violations.

Key Benefits:

The Bulk Waivers feature enables you to create and apply multiple policy waivers in a single workflow, improving efficiency and consistency across applications.

  • Maintain consistent waiver configuration (scope, expiration, reason, and comments).

  • Support waiver creation within Application Reports and Component Details pages.

  • Handle unknown or unclaimed components intelligently by restricting “All Versions” to identified components and using “Exact” for unknown/unclaimed components.

Accessing Bulk Waivers

The Bulk Waive button is available in several locations throughout the application interface:

  • Application Report

  • Component Details

1.png

“The Bulk Waive button is visible only to users who have the WAIVE_POLICY_VIOLATIONS permission. When this permission is granted but there are no open waiveable violations, the button is disabled.

2.png

Violation Selection:

The Violation Selection page displays all policy violations eligible for bulk waiver in a sortable, filterable table. You can select multiple violations to waive at once.

3.png

Key Features:

  • Sort and filter violations by Threat Level, Policy, or Component/Constraint.

  • Select individual violations or use the Select All checkbox.

  • View selected violation counts and retain hidden selections when filters are applied.

  • Only open violations are displayed. Waived, dismissed, or legacy violations are automatically excluded.

Once at least one violation is selected, Click Next to proceed to the Waiver Configuration step. To exit without saving, Click Cancel to return to the previous page and clear selections.

Waiver Configuration:

In this step, you configure how waivers will apply to the selected violations. The configuration includes scope, component matching strategy, expiration duration, reason, and comments.

4.png

Configuration Options:

Scope (Required)

Indicates the organizational level (such as Application, Organization, or Repository) where the waiver applies.

Available options include Application, Organization, Repository, Repository Manager, and Repository Container, depending on your permissions and the current context.

Component Matching (Required)

Specifies how the waiver matches components:

  • Exact: Applies only to the specific component version. This option is always available and required for unknown or unclaimed components.

  • All Versions: Applies to all past, present, and future versions of the component. This option is not available for unknown or unclaimed components.

Waiver Expiration (Required)

Determines when the waiver expires. Choose from a set of predefined durations (7, 14, 30, 60, 90, or 120 days). You can also specify that the waiver will never expire or provide a custom expiration date using the date picker.

Note

When selecting a custom date, you must choose a future date.

Reason (Optional)

Select a predefined waiver reason configured in Sonatype Lifecycle.

Comments (Optional)

Provide contextual notes explaining the waiver rationale (maximum 1000 characters).

Handling Unknown Components:

  • When only unknown or unclaimed components are selected, the All Versions option is disabled. Tooltip: “Claim these components to apply all versions waiver.”

    5.png

  • When both known and unknown  components are selected, an inline message is available on the page: The selected violations contain unknown/unclaimed components. When ‘All Versions’ is selected, the bulk waiver will only apply to identified components.”

    6.png

After configuring the waiver, Click Next to review the summary. If you need to change selections, Click Back to return to the previous step. To discard and exit, Click Cancel.

Confirmation and Submission:

The Confirmation step allows users to review all selected violations and configuration details before submission.

7.png

Review Summary:

  • Total number of violations and affected components.

  • Scope, component matching strategy, expiration date, reason, and comments (read-only).

  • When the selected violations include both known and unknown or unclaimed components, a message is available on the confirmation page: “The selected violations contain unknown/unclaimed components. When ‘All Versions’ is selected, the bulk waiver will only apply to identified components.”

    This message indicates that the ‘All Versions’ option applies only to identified components, and unknown components will be excluded from the waiver.

    8.png

    After you click Submit, the bulk waiver is created. It will be applied the next time Sonatype Lifecycle performs a report re-evaluation and will not affect the current report.

    A confirmation is available at the top of the screen: “Bulk Waivers will apply when the report is re-evaluated.”

    9.png

Submission:

After reviewing, Click Submit to create waivers. Waivers are created through a single, atomic transaction, if any validation fails, the entire batch is rolled back.

A message confirms: “Re-evaluate the report to apply bulk waivers.”

API Integration

You can also create bulk waivers programmatically using the Policy Waiver REST API. This operation requires the WAIVE_POLICY_VIOLATIONS permission, and waivers are created in a single atomic transaction (if any violation fails validation, the entire batch is rolled back).

See the full API reference and examples here: Bulk Waivers API