Example Waiver Workflows
Example Workflow: Lifecycle
Consider two teammates, Alice and Bob. Alice is a developer Bob is in AppSec. They work at a small company that's just getting comfortable with their Sonatype purchases. However, they're fairly mature in their DevOps journey and want to integrate with their issue-tracking tools as much as possible.
Bob kicks the workflow off when he reviews Application Composition Reports in the browser UI, which he does on a weekly cadence. He sees a Security-Medium violation in a component called vulnerable-foo. The version graph in the Component Details Page shows a newer version of the same component with no violations, so he creates a ticket for Alice to upgrade it.
Alice picks up the ticket during her next sprint. She researches the newer, non-vulnerable version of vulnerable-foo by visiting the component's website, GitHub page, and using the Chrome Plugin. Her investigation reveals that the new version changes some class files significantly, so upgrading will require some unit and integration testing.
Alice decided to request a waiver on this component for 14 days, the length of a sprint, to give her enough time to make the update. The waiver will keep vulnerable-foo from appearing on reports during its duration and will serve as a record that the risk was acknowledged and accepted in the meantime. She edits the existing ticket with a request for a waiver for 14 days, then sends it back to Bob.
Bob reviews the ticket and agrees with Alice's thinking, creates the waiver, and sends it back to Alice.
At this point, the waiver will prevent vulnerable-foo from appearing on reports. At the end of 14 days, the waiver will expire, at which point Alice has (hopefully) removed the component in favor of the newer version.
Example Workflow: Sonatype Repository Firewall
This example workflow is similar to the previous workflow, but it's mostly focused on the Sonatype Repository Firewall product. Alice and Bob's company is using Sonatype Nexus Repository to proxy Maven Central, and Sonatype Repository Firewall is configured to block components that are too risky.
This time, Alice kicks off the workflow when she tries to build her app using a package manager and Repository Firewall blocks one component, beerware-foo, because it violates the License-Banned policy. Alice reviews the license onbeerware-foo, and sees that it has some serious requirements when used for commercial purposes. Alice's application will only be used internally, so requirements don't apply. Alice thinks the component should be unblocked for her use-case.
Alice opens a ticket requesting a waiver and sends it to Bob. Since this app is under active development, she'd like the waiver to have a long duration, so she doesn't have to request another one soon.
Bob reviewed the ticket. He agrees with Alice's thinking and creates a waiver set to expire after 60 days. After that, he'd like to review the situation and confirm that the app hasn't made its way into a commercial product. He lets Alice know the waiver was granted.
Alice tries to build her app again. This time, Repository Firewall doesn't block the component and the build completes successfully.