Skip to main content

Re-Evaluating a Report

At the top right-hand corner of your Application Composition Report is a button labeled Re-Evaluate Report. This button allows users to quickly test new Policy configurations.


Re-evaluating means that the existing vulnerabilities and waivers in the report (generated when the application was scanned) will be evaluated against the current Policy set.

A re-evaluated report will reflect changes in the Policy set.

For example, if you create a new Policy, and then click Re-Evaluate Report, Lifecycle will check for violations against that Policy and include them in the report, if any.

Keeping Records

Re-evaluating a report overwrites that report's metadata with the new results. This means that the original report and the re-evaluated report could become inconsistent. Repeated re-evaluations can exacerbate the discrepancy.

Reports can serve as records of your application's contents at a specific point in time. If this kind of record-keeping is important to your organization, then avoid re-evaluating your reports outside a testing or sandbox Application.

Re-evaluating vs. Re-scanning

The Re-Evaluate Report button is not a new scan of your application. It will not report new vulnerability data from Sonatype.

Re-evaluation compares the original scan data with the current policy and waivers for changes.

You need to re-scan your application to get new vulnerability data.

If you need to re-scan :

  • Wait for your next CI build, if you're integrating with CI/CD tools like Jenkins.

  • Re-scan the application manually using the Sonatype IQ CLI.