Skip to main content

Constraints

Constraints define the violating conditions you want to detect. A constraint is a collection of multiple conditions. A policy must have at least one constraint, and each constraint must have at least one condition.

Constraints can be configured to be satisfied if ANY or ALL of the conditions are true. Multiple constraints inside a policy are combined with OR, so a policy is violated if any one constraint in that policy is violated.

Constraints are made up of the following parts:

Item

Description

Constraint Name

Indicates the violation you want to detect, for example, a High-risk CVSS score or License needs legal review.

Conditions

Refer table below to choose the appropriate violation condition from the drop-down.

137205677.png

Setting Conditions

Select a value for “Any or All" and then a condition and its parameters from the drop-down menus. For more details on any of the conditions and their parameters, please see the Application Composition Report.

Policy Type

A policy type is automatically assigned, based on the conditions selected for the policy constraint. You can filter results on the dashboard based on the Policy type.

The following rules are used to determine policy type :

  • Security if it has any security conditions, it is considered a Security policy.

  • License if it has any license conditions, it is considered a License policy.

  • Quality if it has any age or popularity conditions, it is considered a Quality policy.

  • Other if none of its conditions are of types mentioned above, it is considered to be of type Other.

NOTE: A policy can only be of one type. In cases where a policy has conditions that meet more than one of the rules above, the policy type is assigned according to the order listed above. For example, if a policy has security and license conditions, it is assigned policy type as Security.

Constraint Conditions supported

Condition

Type

Description

Any or All

---

Determines how constraints are evaluated. You can choose one of the following options:

  • Any - If any one of the conditions is met, then a policy violation is triggered. It is the equivalent of placing an or between each condition. This setting tends to produce a lot of policy violations.

  • All - If every condition is met, then a policy violation is triggered. This setting is the equivalent of placing an and between each condition. It tends to produce fewer policy violations.

Label

Other

Verify if a specific component label is or is not assigned to a component.

License

License

Verify if the component license is or is not a specified license. If you’ve used the Component Information Panel to set a component’s license status to Overridden, then any licenses designated as Declared or Observed are ignored. If a component’s license status has not been overridden, then any occurrence (declared or observed) of the specified license is considered a match.

License Status

License

Verify if the status of a user-defined license is or is not one of the following values: Open, Acknowledged, Overridden, Selected, Confirmed.

License Threat Group

License

Verify if a component’s license is or is not in a license threat group. The special value [unassigned] can be used to check whether a license has not been assigned to any of your license threat groups, i.e. represents an unknown risk.

License Threat Group Level

License

Verify if the threat level of a component’s license threat group is less than or equal or greater than or equal to a specified threat level value.

Security Vulnerability Severity

Security

Verify if a security vulnerability with a numeric severity is =, <, ⇐, >, or >= to a specified value.

If a vulnerability identifier is prefixed with SONATYPE or CVE, then the vulnerability severity is its Common Vulnerability Scoring System (CVSS)version 3 score.

In the case that a version 3 score is not available, the severity compared will be to the CVSS version 2 score.

161

If there is a Custom Vulnerability Severity value applicable for the evaluated application, it will be used for this comparison.

Security Vulnerability Status

Security

Verify if a component’s security vulnerability status is or is not one of the following values: Open, Acknowledged, Not Applicable, Confirmed.

Relative Popularity (Percentage)

Quality

Verify if the relative popularity of a component’s version (as compared to other versions of the same component) is =, <, ⇐, >, or >= to a specified percentage value.

Note

The Popularity of a component is calculated as a function of successful download counts from the Open Source Software repositories and package managers. As a baseline, the most popular version of the component will have 100% popularity. If all versions of component have the same popularity, roughly, then they would all have 100% popularity.

Age

Quality

Verify if a component is older than or younger than a specified value.

Match State

Other

Verify if the comparison of a component to known components is or is not a match in one of the following ways: Exact, Similar, or Unknown.

Format 136

Other

Verify if the component is in specified format. E.g. npm, maven, etc.

Coordinates

Other

Verify if a component matches or does not match Maven, A-Name, or PyPI coordinates. For each type of coordinates, you enter specific attributes. You can use a wildcard (*) at the end of an attribute to broaden the search.

Maven: You fill in a component’s GAVEC, i.e. Group ID, Artifact ID, Version, Extension, and a Classifier. For example:

Group ID: org.sonatype.nexus
Artifact ID: nexus-indexer
Version: 1.0
Extension: jar
Classifier: sources
Group ID: org.sonatype*
Artifact ID: nexus-indexer
Version: 1.*
Extension: *
Classifier: 

A-Name: A-Name is short for Authoritative Name, an identifier created by Sonatype to identify components agnostic of the repository format. You fill in a Name, Qualifier, and Version, for example:

Name: log4net
Qualifier: Framework 3.5
Version: 2.0.5
Name: log4net
Qualifier:
Version: 1.*

PyPI: The Python Package Index format. You fill in a Name, Version, Qualifier, and Extension. For example:

Name: MarkupSafe
Version: 1.1.0
Qualifier: 
Extension: *

Package URL

Other

Verify if a component matches or does not match a specified package URL. You can use a wildcard (*) at the end of an optional attribute to broaden the search. The package URL must have the format below:

pkg:type/namespace/name@version?qualifiers

Where:

  • type : the package "type" or package "protocol" such as maven, npm, etc. Required

  • namespace : some name prefix such as a Maven groupid (optional and type-specific). Optional

  • name : name of the package. Required

  • version : version of the package. Optional

  • qualifiers : extra qualifying data for a package such as type, classifier for maven (optional and type-specific). Optional

Package URL examples

Maven :

pkg:maven/tomcat/tomcat-util@5.5.23?type=jar

A-name:

pkg:a-name/startbootstrap-agency@4.0.0-beta

Proprietary

Other

Verify if a component is or is not considered proprietary.

Proprietary Name Conflict

REPOSITORY FIREWALL

Security

Determine whether a component from a proxy repository has a name that matches the name of any proprietary component in a hosted.

Note that this policy condition is only relevant to Sonatype Repository Firewall and the Proxy stage.

Identification Source

Other

Verify if the identification of a component is or is not one of the following:

    • Sonatype - When the identification is done based on IQ Server data sources

    • Manual - When the identification is done based on a component claimed by you

    • Clair - When the identification is done based on a Clair scan result

    • Package Manifest - When the identification is done based on any manifest file scan

Component Category

Other

Verify if the component category is or is not a specified category. These categories are what the component is used for, as categorized by Sonatype. Possible values include designations like "Data Protocols," "Logging," "Networking Utilities," etc. If a parent category is selected, a match will occur on any child category as well.

Data Source

Other

Verify whether the data source where the component information was found has support for one of the following features: Identityor License

Dependency Type

Other

Verify if the dependency type is or is not the following:

  • Direct - When the dependency is determined to be defined in the application/project

  • Transitive - When the dependency is brought in from another dependency

  • InnerSource - When a direct dependency is determined as an internally developed module. Note that this will not match transitive components that are brought in by InnerSource components.

For more information see the dependency type section in Reviewing a Report

NOTE: Policy is not evaluated on components with a dependency type of unknown. This policy condition is not applicable to Repositories.

Security Vulnerability Category

Security

Verify if the security vulnerability category is or is not a specified category. If you've used the Component Information Panel, the vulnerability category values can be seen when viewing vulnerability information.

  • Data - The exploit involves the attacker sending a tainted request

  • Operational - The component is involved in the operation of the webserver

  • Functional - Affects a specific piece of the component that isn't integral to the operation of the component

  • Configuration - Dependent on a specific configuration of the component implementation

  • Test Code - The vulnerability is in test code that is not required for production

  • Sample Code - The vulnerability is in an example included with the component

  • Privileged - The attacker needs to have elevated privilege levels to exploit

  • Malicious Code - The component has embedded malicious code

  • Other - Not covered in the above categories

Hygiene Rating

Quality

Verify if the Hygiene Rating of a component is or is not one of the following:

  • Laggard

  • Exemplar

Integrity Rating

Quality

Verify if the Integrity Rating of a component is or is not one of the following:

  • Normal

  • Suspicious

  • Malicious

Security Vulnerability CWE

Security

Verify if a component’s security vulnerability CWE ID is or is not equal to a specified value.

161

If there is a Custom Vulnerability CWE ID value applicable for the evaluated application, it will be used for this comparison.

Security Vulnerability Group

Security

Verify if a component belongs to a specific vulnerability group. Custom vulnerability groups can be added using the Vulnerability Groups REST API - experimental.

Security Research Type

Security

Verify if a component has undergone deep dive research by the Sonatype Data Research team. To exclude the "Deep Dive" condition i.e. , include only "Fast Track" research type, choose IS NOT as the logical operator while defining the constraint.

IaC Compliance Family

Security

Map the component to a specific compliance standard from those available in the IaC Pack.

Security Vulnerability Custom Remediation

Security

Verify if there is a Custom Vulnerability Remediation value or not for the vulnerability and evaluated application.

Security Vulnerability Custom CVSS

Security

Verify if there is a Custom Vulnerability CVSS Vector value for the vulnerability and evaluated application matching or not with a given regular expression.

Note

Unknown components can only meet the "Match State", "Proprietary" and "Data Source" conditions. All other conditions will never be satisfied by an unknown component, regardless of which operator or value the condition employs. For example,

  1. An unknown component has no defined relative popularity, not even 0, so a condition like "Relative Popularity >= 0" would not be met by an unknown component.

  2. An unknown component has no specific coordinates, not even a condition like "Coordinates do not match ..." would be satisfied by it.