Policy Management

A policy is a set of rules that guide certain actions when conditions are met. It’s what IQ Server uses to identify and prevent risk associated with open source, third-party, or proprietary components that may enter a repository or exist in an application.

Getting Started with Policies

To begin, there are several fundamental questions to ask yourself about risk and the components you use:

  • What types of risks do you want to know about: security vulnerabilities, licensing problems, quality issues (like age or popularity), or something else?
  • At what stage in the development lifecycle do you want to know about those risks?
  • How severe do you think those risks are?
  • What actions do you want to take? Receive a warning? Stop a build?
  • Who should be notified of those risks? Particular individuals or whole groups?
  • Do you want to constantly monitor inventoried components for new risk?
  • How should the policies be applied in the system hierarchy? Globally, at the root organization level? More narrowly, at the organization level? Or even more narrowly, at the application level?

Reference Policy Set

Creating policies from scratch can be a complex and labor intensive process, and the Reference Policy Set will give you a head start.

When you start IQ server for the first time, the Reference Policy Set will be imported into the Root Organization automatically. You can also import the Reference Policy Set into an organization manually, as described in the section below. 

The reference set contains policies for detecting and managing security, licensing, architectural, and popularity issues and includes some advanced policy features like application categories, component labels, and license threat groups. This policy set can help you gather information about the components used to build applications (including unknown and patched components), and understand how policy management will work for your environment.

Downloading the Reference Policy Set

You can download the reference policy set into an organization from here:

For IQ Server release 50 and newer:

For IQ Server version 1.22 to 1.49:

For IQ Server version 1.21 or older:

Once the Reference Policy Set is downloaded, you can import it by following the instructions in the next section.

Importing Policies

After you acquire a policy file (in a .json format) such as the Reference Policy Set, follow these steps to import it into IQ Server.

  1. Log into IQ Server using an account that has permission to import policies into a specific organization (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, click the organization into which you want to import the policy.
  4. Click the Actions menu and select Import Policies
    The Import Policy dialog is displayed as shown in the figure below.
  5. Click the Choose File button and select the policy .json file in the file browser.
  6. Click the Import button.

Rules for Importing Policies

If you want to import policies into an organization with existing policies (or application categories, component labels, and/or license threat groups), you should consider the following rules:

  • Existing policies and waivers belonging to this organization and any of its descendants will be deleted during the import procedure.
  • Importing policies also includes application categories, component labels, and license threat groups for which the following logic is used:
    • Application Categories - IQ Server attempts to match application categories against existing ones in a case-insensitive manner. This allows for updating the description or color of existing application categories, while preserving any current matching of categories between policies and applications.
    • Component labels - IQ Server attempts to match component labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing component labels, while preserving any triage effort already done to apply these labels to components. If your import contains component labels that aren’t already present in the system, they will be created.
    • License Threat Groups - IQ Server will delete all existing license threat groups belonging to this organization and any of its descendants, and then import the new ones.

Related topics