Skip to main content

Policy Violation Comparison Behavior

We have changed the policy violation comparison (diffing) feature to make it more accurately highlight risk. An easily understood example is with security vulnerabilities.

IQ Server 1.49 and earlier: If a component has two security vulnerabilities with the same score it will be represented as a single policy violation.

Change for IQ Server release 50 and later: We want to create two policy violations, which more accurately represents the risk this component poses.

This rationale also applies to policy configuration changes that are significant, since they represent a different and new understanding of risk.

For IQ Server 1.49 and earlier, the policy violations are compared by policy internal id, policy name, policy threat level, component hash, and a component identifier. That is not enough for policy violations that are different based on the data that triggers the policy violation. We need to store extra data and use it in the policy violation comparison to achieve this new functionality.

With the new comparison model, some of the policy violation behavior will change. The purpose of this document is to illustrate the new behavior.

Waiver

Prior to Nexus IQ Server release 53, waivers worked the same way as before, based on the violating policy and component. Fine-grained waivers are used starting with Nexus IQ Server release 53.

Notification

Recall that notifications are only generated for new policy violations, none are created when the policy violation is the same.

Old Behavior

A component has an existing Security-Medium policy violation, at policy evaluation a new security vulnerability appeared that meets the Security-Medium policy conditions. No notification is created since the policy violation is determined to be the same as the previous one.

New Behavior

A component has an existing Security-Medium policy violation, at policy evaluation a new security vulnerability appeared that meets the Security-Medium policy conditions. A notification is created since the policy violation is determined to be different due to the new security vulnerability.

Policy Rename

Old Behavior

Once a policy is renamed, any existing policy violations for that policy would be considered new when the next evaluation occurs. We used the rename as a shortcut for someone to indicate the policy is different after they changed conditions/constraints.

For example:

Evaluation on May 1, a policy named P1 has policy violation A.

Evaluation on May 2, a policy named P1 has policy violation A. The policy violation is considered old.

The policy named P1 is changed to be named P2.

Evaluation on May 3, a policy named P2 has policy violation A. The policy violation is considered new.

New Behavior

The policy name changes will not trigger new policy violations. The name is not used in determining changes we've introduced other heuristics to determine significant changes. Once a policy is renamed, any existing policy violations for that policy will remain unchanged when a new evaluation occurs (provided no other information changes).

For example:

Evaluation on May 1, a policy named P1 has policy violation A.

Evaluation on May 2, a policy named P1 has policy violation A. The policy violation is considered old.

The policy named P1 is changed to be named P2.

Evaluation on May 3, a policy named P2 has policy violation A. The policy violation is considered old.

Violation Data

The majority of the change is in how differences in policy violations are determined based on the data that triggers the policy violation (the conditions to be met). An explanation of the kinds of information and specific data fields used in this comparison follows, along with several examples.

Trigger Data by Condition Type

Label

  • label id in the policy condition

License

  • license id in the policy condition

License Status

  • license status id in the policy condition

License Threat Group

  • license threat group id in the policy condition

License Threat Group Level

  • license threat group id

  • the threat level of the corresponding license threat group

Security Vulnerability Severity

  • security vulnerability reference id

  • severity (score) of the corresponding security vulnerability

Security Vulnerability Status

  • security vulnerability reference id

  • the status id of the corresponding security vulnerability

Some Examples of Behavior

Label

  • A component has two labels: label-1 and label-2.

  • Evaluation with condition “Label is label-1” has a policy violation.

  • Change condition to “Label is label-2”.

  • Evaluation with condition "Label is label-2" has a policy violation. The policy violation is considered new because the label id has changed.

  • Old Behavior

    • A component has two labels: label-1 and label-2.

    • Evaluation with condition “Label is label-1” has a policy violation.

    • Change condition to “Label is label-2”.

    • Evaluation with condition "Label is label-2" has a policy violation. The policy violation is considered old.

  • New Behavior

License

  • Old Behavior

    • A component has license LGPL-3.0 and Apache-2.0.

    • Evaluation with condition "License is Apache-2.0" has a policy violation.

    • Change condition to "License is LGPL-3.0".

    • Evaluation with condition "License is LGPL-3.0" has a policy violation. The policy violation is considered old.

  • New Behavior

    • A component has license LGPL-3.0 and Apache-2.0.

    • Evaluation with condition "License is Apache-2.0". A policy violation is created.

    • Change condition to "License is LGPL-3.0".

    • Evaluation with condition "License is LGPL-3.0" has a policy violation. It is considered new because the license id has changed.

License Status

  • Old Behavior

    • A component has a license with a status of open.

    • Evaluation with a condition "License Status is Open" has a policy violation.

    • Change component license status to overridden.

    • Change condition to "License Status is Overridden".

    • Evaluation with a condition "License Status is Overridden" has a policy violation. The policy violation is considered old.

  • New Behavior

    • A component has a license with a status of open.

    • Evaluation with a condition "License Status is Open" has a policy violation.

    • Change component license status to overridden.

    • Change condition to "License Status is Overridden".

    • Evaluation with a condition "License Status is Overridden" has a policy violation. It is considered new.

License Threat Group

  • Old Behavior

    • A component has a license in the Liberal, and Copyleft license threat groups.

    • Evaluation with the condition "License Threat Group is Liberal" has a policy violation.

    • Change condition to "License Threat Group is Copyleft".

    • Evaluation with the condition "License Threat Group is Copyleft" has a policy violation. The policy violation is considered old.

  • New Behavior

    • A component has a license in the Liberal, and Copyleft license threat groups.

    • Evaluation with the condition "License Threat Group is Liberal" has a policy violation.

    • Change condition to "License Threat Group is Copyleft".

    • Evaluation with the condition "License Threat Group is Copyleft" has a policy violation. The policy violation is considered new because the license threat group id has changed.

License Threat Group Level

  • Old Behavior

    • A component has a license in a license threat group with a threat level of 4.

    • Evaluation with the condition "License Threat Group greater than or equals to 2" has a policy violation.

    • The components license has changed to a license threat group with a threat level of 5.

    • Evaluation with the condition "License Threat Group greater than or equals to 2" has a policy violation. The policy violation is considered old.

  • New Behavior

    • A component has a license in a license threat group with a threat level of 4.

    • Evaluation with the condition "License Threat Group greater than or equals to 2" has a policy violation.

    • The components license has changed to a license threat group with a threat level of 5.

    • Evaluation with the condition "License Threat Group greater than or equals to 2" has a policy violation. The policy violation is considered new because the license threat group level has changed.

Security Vulnerability Severity

  • A component has a security vulnerability with a severity of 5.

  • Evaluation with the condition "Security Vulnerability Severity greater than or equals 5" has a policy violation.

  • The components security vulnerability severity changes to 6.

  • Evaluation with the condition "Security Vulnerability Severity greater than or equals 5" has a policy violation. The policy violation is considered old.

  • Old Behavior

  • A component has a security vulnerability with a severity of 5.

  • Evaluation with the condition "Security Vulnerability Severity greater than or equals 5" has a policy violation.

  • The components security vulnerability severity changes to 6.

  • Evaluation with the condition "Security Vulnerability Severity greater than or equals 5" has a policy violation. The policy violation is considered new because the security vulnerability severity has changed.

  • New Behavior

Security Vulnerability Status

  • A component has a security vulnerability status of open.

  • Evaluation with the condition "Security Vulnerability Status is Open" has a policy violation.

  • Change component security vulnerability status to acknowledged.

  • Change condition to "Security Vulnerability Status is Acknowledged".

  • Evaluation with the condition "Security Vulnerability Status is Acknowledged" has a policy violation but it is considered old.

  • Old Behavior

  • New Behavior

    • A component has a security vulnerability status of open.

    • Evaluation with the condition "Security Vulnerability Status is Open" has a policy violation.

    • Change component security vulnerability status to acknowledged.

    • Change condition to "Security Vulnerability Status is Acknowledged".

    • Evaluation with condition "Security Vulnerability Status is Acknowledged" has a policy violation is considered new.

Sample Application example

The sample application can be used to illustrate the changes to violation counts by reviewing the security policy violations.

Current behavior will ignore subsequent policy violations for the same policy. It appears as if the security vulnerabilities are grouped together as one policy violation per threat grouping. When looking at all the policy violations, notice that under Security-Medium the component names appear one time, indicating a single policy violation for the Security-Medium policy. When you view the details of the component you'll notice there are several security vulnerabilities.

150405486.png

The new behavior will evaluate each security vulnerability and generate a separate policy violation for each. When looking at the policy violations, notice that under Security-Medium the following component names appear more than once because there is more than one security vulnerability that meets the policies conditions (security score within the medium range): geronimo, jetty, and tomcat-util.

150405487.png