Policy Management
Governance Policies are the rules to identify risk from open-source components found in your applications. These policies report identified risk to each project stakeholder while enforcing compliance at any stage of the software development lifecycle. You will want governance policies in place before scanning applications to get a baseline of your open-source risk.
This is the goal of the Sonatype Reference Policy.
Reference Policy
Creating an open-source governance policy is challenging which is why Sonatype provides a reference policy set for use as a starting point for baselining your open-source risk.
When launching Lifecycle for the first time, the Reference Policy is imported automatically from the Sonatype Data Services. Connectivity issues may result in the policies not loading so you may need to manually import the reference policy to your Root Organization.
Policy Elements
Policy Name
The Policy Name indicates the risk or violation it is associated with. This Policy Name will appear in all reports and views. To avoid confusion, assign a unique name to every policy.Policy Namecan be up to 60 characters long and include alphanumerics, underscores (_), periods (.), dashes (-), or spaces.
Threat Level
The threat level is a subjective value on the perceived risk of a policy violation. Its purpose is for sorting policy violations in reports and views; the violations with the highest threat level appear first followed by those with lower threat levels.
The threat level values are grouped by severity and identified by specific colors
Avoid causing unnecessary alarm when setting the threat level
Select the lowest possible number that provides value; informational level (1) or low level (2-3)
Save the high-level values (8-10) for only the highest priority and risk.
Level | Color | Number |
|---|---|---|
Critical | Red | 8-10 |
Severe | Orange | 4-7 |
Moderate | Yellow | 2-3 |
Low | Blue | 1 |
None | Light Blue | 0 |
Note
Policy Threat Levels do not align with CVSS score. See Security Policies for details.