Skip to main content

Policy Management

Lifecycle policies are the rules that automatically identify risk from components throughout your organization. These policies report discovered risks to the right stakeholders while enforcing compliance at any stage of the software development lifecycle.

While most of our examples for managing policies demonstrate referencing components/packages in the Maven format, Sonatype Lifecycle also supports several other formats.

Getting Started

To begin, there are some fundamental questions to consider:

  • What do you want to know about?

    • CVE and malicious code found in open-source libraries

    • organization risk from undesirable license obligations

    • open source hygiene

    • component information

  • Are some applications more critical (more risk-adverse) than others?

  • Where in the SDLC do you want teams to be notified of any risk?

  • What should happen when a new violation is discovered?

  • Will you build the application every day or should recent builds be automatically checked?

  • For legacy applications, do you plant to accept all current risk from the start?


For more about policy management in IQ Server, be sure to check out our Organizational Policies eLearning course.

Reference Policy Set

Creating governance policies from scratch is labor-intensive and challenging. Ideally, your governance policies are set before scanning your applications to get a baseline of open-source risk. This is the goal of the Sonatype Reference Policy Set.

When starting Lifecycle for the first time, the Reference Policy Set is imported automatically from the Sonatype Data Services.


If Lifecycle is unable to connect to Sonatype Data Services when first launched, importing the reference policy set will fail. Check that the IQ Server can connect to on port 443 TCP. Once this has been corrected, clear the server's work directory and try again.

Importing Policies

The Reference Policy Set can be downloaded and imported manually. This is primarily to remove the current policies without having to start over with server configuration.


Importing the reference policy will clear modifications to license threat groups, references to policy violations, and any existing waivers.

IQ Server Releases

Set Details

Reference Policy Set

release 140 or newer

(Reference Policy Set v7)


release 106 to 139

(Reference Policy Set v6)


release 97 to 105


release 91 to 96

(Reference Policy V4 Information)


release 50 to 90


release 22 to 49


release 21 or older


Once downloaded, use the following steps to import them into IQ Server.

  1. Log into IQ Server using an account that has permission to import policies into a specific organization (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization.

  2. Click the Manage Applications and Organizations icon on the IQ Server toolbar.

  3. In the sidebar, click the organization into which you want to import the policy.

  4. Click the Actions menu and select Import Policies.

    The Import Policy dialog is displayed as shown in the figure below.

  5. Click the Choose File button and select the policy .json file in the file browser.

  6. Click the Import button.


Rules for Importing Policies

If you want to import policies into an organization with existing policies (or application categories, component labels, and/or license threat groups), you should consider the following rules:

  • Existing policies and waivers belonging to this organization and any of its descendants will be deleted during the import procedure.

  • Importing policies also include application categories, component labels, and license threat groups for which the following logic is used:

    • Application Categories - IQ Server attempts to match application categories against existing ones in a case-insensitive manner. This allows for updating the description or color of existing application categories while preserving any current matching of categories between policies and applications.

    • Component labels - IQ Server attempts to match component labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing component labels while preserving any triage effort already done to apply these labels to components. If your import contains component labels that aren’t already present in the system, they will be created.

    • License Threat Groups - IQ Server will delete all existing license threat groups belonging to this organization and any of its descendants, and then import the new ones.