Policy Reevaluation
Older scan reports are not automatically updated with new data.
Use the "Re-evaluate Report" button to reflect policy changes or for new waivers.
Perform a new scan to pull new data from the data services.
Proprietary configuration changes are only reflected on new scans.
The Promotion API is used to resubmit existing data as a new scan.
Scan reports are static
Scan reports are a point-in-time analysis of your applications on components known to the Sonatype data services. The report has any known or reported vulnerabilities, declared and observed licenses, and component information that could be used to make policy decisions. It is compared against your policy configuration to generate a static scan report.
Note
For auditing reasons, the data in a scan report does not change from when the scan was done. When Sonatype learns of a new vulnerability, older scan reports will not reflect new information until a new scan is made.
Re-Evaluate Report button
The scan report includes a button to re-evaluate the report. This functionality is used to update the scan report when a change has been made to your policy or when a policy violation has been waived. This function will not update the report data with new vulnerabilities. See below for how to update the scan data.
Note
Policy Reevaluation will not trigger actions or notifications configured to your policies.
Updating scan data
There are a few ways to update your scan report with new data. Keep in mind for each of these, the existing report is maintained where a new scan report is generated and updated in the UI as the latest report.
New scans
This is the typical process for generating a report. You may trigger the scan from your CI or using the native plugins or CLI. You may also scan using the UI for testing purposes.
Review the Analysis documentation to review how to submit a scan.
Continuous monitoring
A configurable feature to have the IQ server automatically resubmit the results from the last scan for another analysis.
Promoting a previous scan
Scans older than the last results may be re-scanned using the Promote Scan REST API. This is typically used when the binaries of a previous build are now moving to a new stage in the production pipeline. Rather than rebuild the application again the previous scan data is reused for the newer stage.
Note
Note: by default older scans are automatically deleted after a new scan is made. In order to use the Promotion API, the purgeScanFiles configuration needs to be set to withReports. Otherwise, you may only promote the latest scan.
Review the Promote Scan REST API.
Older scans
The link to the scan report contains a unique identifier for the scan data and the resulting report. Old scan reports are accessible through their scan report URIs stored in the CI build results, violation notifications, or through the Report REST APIs.