Policy Management

Lifecycle policies are the rules that automatically identify risk from components throughout your organization. These policies report discovered risk to the right stakeholders while enforcing compliance at any stage of the software development lifecycle.

While most of our examples for managing policies demonstrate referencing components/packages in the Maven format, Sonatype Lifecycle also supports several other formats. For more information, go to Referencing Package URL (purl) and Component Identifiers.

Getting Started

To begin, there are some fundamental questions to consider:

  • What do you want to know about?
    • CVE and malicious code found in open source libraries
    • organization risk from undesirable license obligations
    • open source hygiene
    • component information
  • Are some applications more critical (more risk adverse) than others?
  • Where in the SDLC do you want teams to be notified of any risk?
  • What should happen when a new violation is discovered?
  • Will you build the application every day or should recent builds automatically checked?
  • For legacy applications, do you plant to accept all current risk from the start?

Learn More

For more about policy management in IQ Server, be sure to check out our Organizational Policies eLearning course.

Reference Policy Set

Creating governance policies from scratch is labor-intensive and challenging. Ideally, your governance policies are set before scanning your applications to get a baseline of open source risk.  This is the goal of the Sonatype Reference Policy Set.

When starting Lifecycle for the first time, the Reference Policy Set is imported automatically from the Sonatype Data Services.

For additional help, please see Reference Policy Best Practices.

If Lifecycle is unable to connect to Sonatype Data Services when first launched, importing the reference policy set will fail.  Check that the IQ Server can connect to https://clm.sonatype.com on port 443 TCP.  Once this has been corrected, clear the server's work directory and try again.

Importing Policies

The Reference Policy Set can be downloaded and imported manually.  This is primarily to remove the current policies without having to start over with server configuration.

Importing the reference policy will clear modifications to license threat groups, references to policy violations, and any existing waivers.

IQ Server ReleasesSet DetailsReference Policy Set
release 140 or newer(more info)reference-policies-v7.json
release 106 to 139(more info)


release 97 to 105


release 91 to 96(more info)


release 50 to 90


release 22 to 49


release 21 or older


Once downloaded, use the following steps to import them into IQ Server.

  1. Log into IQ Server using an account that has permission to import policies into a specific organization (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, click the organization into which you want to import the policy.
  4. Click the Actions menu and select Import Policies
    The Import Policy dialog is displayed as shown in the figure below.
  5. Click the Choose File button and select the policy .json file in the file browser.
  6. Click the Import button.

Rules for Importing Policies

If you want to import policies into an organization with existing policies (or application categories, component labels, and/or license threat groups), you should consider the following rules:

  • Existing policies and waivers belonging to this organization and any of its descendants will be deleted during the import procedure.
  • Importing policies also includes application categories, component labels, and license threat groups for which the following logic is used:
    • Application Categories - IQ Server attempts to match application categories against existing ones in a case-insensitive manner. This allows for updating the description or color of existing application categories, while preserving any current matching of categories between policies and applications.
    • Component labels - IQ Server attempts to match component labels against existing ones in a case-insensitive manner. This allows for updating the description or color of existing component labels, while preserving any triage effort already done to apply these labels to components. If your import contains component labels that aren’t already present in the system, they will be created.
    • License Threat Groups - IQ Server will delete all existing license threat groups belonging to this organization and any of its descendants, and then import the new ones.

Related topics