Skip to main content

Continuous Risk Profile

Sonatype for SCM generates a continuous risk profile of the organization's codebase by running automatic application evaluations at the source stage. It uses the following capabilities to create a continuous risk profile:

  1. Default branch monitoring

  2. Feature branch monitoring

Default Branch Monitoring

Default branch monitoring is implemented by running both periodic and event-driven application evaluations. This feature is enabled for all private, internal, and public repository types. The selected repository should be configured for source control as described in Sonatype for SCM.

Periodic application evaluations: Nexus IQ for SCM performs policy evaluations on the default branch once per day. These evaluations are initiated based on the IQ server settings

defaultBranchMonitoringstartTime: 00:00
defaultBranchMonitoringIntervalHours:24

To change the start time or the time interval between evaluations, use Source Control Configuration REST API

Event-driven application evaluations:Before performing event-driven application evaluations, Nexus IQ for SCM will check if external policy evaluations (run by Nexus CLI or CI jobs) have been performed. If there are no policy evaluations found in the last 7 days, then an application evaluation will be initiated when a PR is detected on the default branch and there is no policy evaluation associated with the head commit.

Note

If policy evaluations for a default branch have been set to initiate externally for example, via Source Control Evaluation REST API, then Default Branch Monitoring is disabled. The Source Control Evaluation REST API offers better control over the evaluation target (i.e. scan targets) and time.

Default Branch Monitoring is automatically re-enabled, if there are no externally initiated policy evaluations in the source stage for the default branch in the last seven days.

Examples to illustrate default branch monitoring

The default branch monitoring process kicks off at the start time. It iterates through all IQ applications to check for code changes.

Example 1: A CI job is configured to run a build and evaluation of an IQ application at 03:00 hrs in the build stage. There are code changes that have been committed in the default branch, in the last 24 hours. startTime for IQ server default branch monitoring is configured as 00:00 and intervalInHours is configured as 24.

What happens now: The default branch monitoring process kicks off at 00:00 and finds that no application has been evaluated in the source stage, in the last 24 hours. Application evaluation is initiated in the source stage.

Example 2: A CI job is configured to run a build and evaluation of an IQ application at 03:00 in the source stage. There are code changes that have been committed in the default branch, in the last 24 hours. startTime for IQ server default monitoring is configured as 00:00 and intervalInHours is configured as 24.

What happens now: The default branch monitoring process kicks in at 00:00 and finds a source stage external application evaluation that occurred, in the last 24 hours, when there were code commits. IQ server determines that the customer effectively took over the default branch monitoring, and it does not initiate an application evaluation.

Example 3: A CI job is configured to run a policy evaluation initiated via Source Control Evaluation REST API (for the default branch) of an IQ application every day at 05:00. The job runs for a while, but then it was disabled 7 days ago. startTime for IQ server default monitoring is configured as 00:00 and intervalInHours is configured as 24.

What happens now: The default branch monitoring process kicks in at 00:00 and finds no source stage application evaluation that occurred, in the last 7 days. IQ server determines that the existing application evaluation report is out of date, and it initiates an application evaluation in the source stage.

Other benefits of default branch monitoring

Default branch monitoring enables maintaining a continuous risk profile for Nexus IQ applications until external policy evaluations based on the user/organization needs (specific applications, development stages, and evaluation times) have been configured to run as CLI or CI processes. This feature combined with Automated Pull Requests provides automatic PRs with fixes for components introduced in the main branch that have policy violations.

Viewing the application evaluation reports generated by default branch monitoring

The default branch monitoring process iterates through all IQ applications to check for the last evaluation, before initiating an evaluation. The start time setup in the source control configuration settings is the time when this process kicks in. This time will differ from the evaluation time reported on an IQ application. The time of application evaluation depends on the number of applications that the monitoring process needs to check, before initiating the evaluation.

The most recent report for an application default branch is accessible in the Reports section:

126660362.png

Feature Branch Monitoring

Nexus IQ for SCM periodically detects changes on feature branches that have pull requests, executes policy evaluations on the changed feature branches and updates pull request comments when policy violations are resolved or introduced.

Note

Feature branch monitoring only works on repositories that cannot be accessed publicly. Repositories must be private or internal for all supported providers, except GitHub Enterprise, for which all repositories will work.

Prerequisites for feature branch monitoring

The following criteria are prerequisites for automatic policy evaluations of feature branches:

  1. The selected repository is configured for source control

  2. The feature branch has an associated open Pull Request