Policy Management
Governance Policies are the rules to identify risk from open-source components found in your applications. These policies report identified risk to each project stakeholder while enforcing compliance at any stage of the software development lifecycle. You will want governance policies in place before scanning applications to get a baseline of your open-source risk.
This is the goal of the Sonatype Reference Policy.
Reference Policy
Creating an open-source governance policy is challenging which is why Sonatype provides a reference policy set for use as a starting point for baselining your open-source risk.
When launching Lifecycle for the first time, the Reference Policy is imported automatically from the Sonatype Data Services. Connectivity issues may result in the policies not loading so you may need to manually import the reference policy to your Root Organization.
Policy Elements
Policy Name
The Policy Name indicates the risk or violation it is associated with. This Policy Name will appear in all reports and views. To avoid confusion, assign a unique name to every policy.
Policy Name can be up to 60 characters long and include alphanumerics, underscores (_), periods (.), dashes (-), or spaces.
Policy Name Uniqueness
Policy names must be unique within the same organization/application hierarchy chain. However, it is valid for separate hierarchies to each create custom policies with the same name.
Example:
You cannot create a policy in a child organization with the same name as one in the Root Organization.
You can create a policy named MyPolicy in both Child Org A and Child Org B.
When policies share the same name across child organizations, violations and API responses may appear ambiguous. To accurately identify which policy a violation refers to, always use the policyId field (the internal unique identifier).
Note
If an organization is moved to a different parent organization and both contain policies with the same name, a conflict can occur because each policy has a different policyId.
Threat Level
The threat level is a subjective value on the perceived risk of a policy violation. Its purpose is for sorting policy violations in reports and views; the violations with the highest threat level appear first followed by those with lower threat levels.
The threat level values are grouped by severity and identified by specific colors
Avoid causing unnecessary alarm when setting the threat level
Select the lowest possible number that provides value; informational level (1) or low level (2-3)
Save the high-level values (8-10) for only the highest priority and risk.
Level | Color | Number |
|---|---|---|
Critical | Red | 8-10 |
Severe | Orange | 4-7 |
Moderate | Yellow | 2-3 |
Low | Blue | 1 |
None | Light Blue | 0 |
Note
Policy Threat Levels do not align with CVSS score. See Security Policies for details.