Re-evaluating a Report
Re-evaluating means that the existing vulnerabilities and waivers in the report (generated when the application was scanned) will be evaluated against the current policy set.
Click on the Re-Evaluate Report button on the top right of the application report to analyze the new policy configurations.
A re-evaluated report will reflect changes in the policy and waivers.
For example, if you create a new policy, and then click Re-Evaluate Report, Sonatype Lifecycle will check for violations against that policy and include them in the report, if any.
Change in Re-evaluate Report functionality
Starting release 189, the Re-evaluate Report button will evaluate an existing scan report against the policy, waivers AND the latest component data from Sonatype Open Source Threat Intelligence.
Keeping Records
Re-evaluating a report overwrites that report's metadata with the new results. This means that the original report and the re-evaluated report could become inconsistent. Repeated re-evaluations can exacerbate the discrepancy.
Reports can serve as records of your application's contents at a specific point in time. If this kind of record-keeping is important to your organization, then avoid re-evaluating your reports outside a testing or sandbox Application.
Re-evaluating vs. Re-scanning
Change in Re-evaluate Report functionality
Starting release 189, Re-evaluation of a report will also include evaluation against the latest Sonatype Open Source Threat Intelligence.
The Re-Evaluate Report button is not a new scan of your application. It will not report new vulnerability data from Sonatype.
Re-evaluation compares the original scan data with the current policy and waivers for changes.
You need to re-scan your application to get new vulnerability data.
If you need to re-scan :
Wait for your next CI build, if you're integrating with CI/CD tools like Jenkins.
Re-scan the application manually using the Sonatype IQ CLI.