Waived Component Upgrades Configuration
Lifecycle will flag policy violations and may cause your builds to fail when they encounter vulnerable open-source components during scans. You can apply for waivers on these vulnerable components to continue temporary use until you remediate the violation by upgrading to safer/newer components. However, applying waivers introduces vulnerability risk to your software supply chain.
Using the Waived Component Upgrades feature, you can configure Lifecycle to monitor and indicate when upgrades for waived components that do not violate any policies, are available. Based on the upgrade available indicator, you can upgrade the older waived components with the newer, safer versions and remove the applicable waivers.
Configuration for Waived Component Upgrades
You can configure Lifecycle for waived component upgrades in 2 ways:
From the System Preferences menu
Using the waivedComponentUpgradeMonitoringEnabled property of Configuration REST API.
When configured correctly, monitoring for available upgrades for waived components will take place on a daily basis.
From the System Preferences Menu
1. Log into the IQ Server using a user account assigned to the System Administrator role.
2, In the System Preferences menu select the gear on the IQ Server toolbar; select Waived Components.
 |
3. Enable the dashboard indicator under Component Upgrade Availability. This is disabled by default.
 |
4. Click Update to complete the configuration. Lifecycle will now monitor for component upgrades.
View Available Component Upgrades
1. Click on Waivers (tab) on the main Dashboard.
2. "Available" under the Upgrade column, for any waiver will indicate that a new version of the waived component is available.
 |
3. Click on the row to view waiver details. The waiver details provide context or justification to support your component upgrade decisions.
 |
Implementing the Component Upgrade
1. Use componentName:"<component name>" in the search query for Advanced Search to find the occurrences of the component in applications and in the related evaluation reports.
2. Click on the evaluation report from the results of the advanced search.
3. Search for the component in the evaluation report by entering the component name in the filter under the Component column.
4. Click on the component to view the Component Details Page, to identify the version of the component available for an upgrade.
NOTE: For repository waivers, login to Sonatype Repository Manager to locate the repository containing the component.