Policy Violation Grandfathering

Policy Violation Grandfathering was introduced in the Nexus IQ Server 50 release.

The Policy Violation Grandfathering feature allows some policy violations to be "grandfathered" to streamline the process of onboarding new applications with existing policy violations. When enabled for an application or an application's parent organization, eligible policy violations will be marked as grandfathered on the first evaluation of an application. Grandfathered policy violations will not be treated as active violations. If desired, these grandfathered policy violations can also be revoked to return to normal policy violation behavior.

Policy violations can be grandfathered manually as well as automatically if grandfathering is enabled or inherited for the application. Applications with policy violations can have their existing policy violations be marked as grandfathered for subsequent evaluations.

Enabling policy violation grandfathering requires the following configuration:

  • Enable Policy Violation Grandfathering for an application or an organization. These settings will be inherited by child organizations and applications.
  • Indicate what policies are eligible for grandfathering.

In addition to the functional documentation provided here, we've also developed a technical guide that goes more in depth into what the Grandfathering feature is and why you should be using it. The guide is complete with two videos, and you can view it over on the Sonatype Gudies site.

Configuring Policy Violation Grandfathering on Organizations and Applications

Policy Violation Grandfathering can be enabled on organizations and applications, and these settings can be inherited by child organizations and applications. By default, policy violation grandfathering is disabled on the Root Organization, and this setting is inherited by all child organizations and applications. However, the default Policy Violation Grandfathering configuration for the Root Organization also permits overrides by child organizations and applications, so this setting can be overridden. You can enable or disable Policy Violation Grandfathering for an organization or an application if there are no inherited restrictions on overriding the setting.

To enable or disable Policy Violation Grandfathering for an application or organization:

  1. Click the Organization & Policies icon   on the IQ Server toolbar.
  2. Select the organization or application that you wish to edit from the sidebar.
  3. Scroll down to the  Policies section and locate the text describing the current configuration under  Policy Violation Grandfathering.
  4. Click the chevron next to the description to pull up the edit screen shown below.

The options will vary slightly depending on whether you are editing the Root Organization, a child organization, or an application.

  • For the Root Organization you are able to select whether or not Policy Violation Grandfathering is enabled or disabled, and whether or not child organizations and applications are able to override this setting. 
  • For child organizations you are able to select whether or not Policy Violation Grandfathering is enabled, disabled, or inherited from the parent, as well as whether or not applications are able to override this setting. 
  • For applications you are able to select whether or not Policy Violation Grandfathering is enabled or disabled. 

If a parent organization has disabled overrides then the settings from that parent will be inherited and the user interface for editing the configuration will be disabled with a message indicating the reason.

Configuring Policy Violation Grandfathering on Policies

You will also need to enable or disable grandfathering on individual policies. To do so, follow the directions in Configuring Policies for editing a policy. Once editing the policy, locate the Policy Violation Grandfathering section on the edit screen. Select or unselect the Do not allow this policy to be grandfathered checkbox.

For new installs, policy violation grandfathering is enabled in the reference policies for threat levels less than or equal to 8.

For any policy violations to be grandfathered, Policy Violation Grandfathering must also be enabled by configuring the application or parent organization.

Viewing Grandfathered Policy Violations

Information regarding grandfathered policy violations is displayed in several locations within Nexus IQ Server.

Application Composition Report

The number of grandfathered policy violations will be displayed in the Application Composition Report.

Individual grandfathered policy violations are also displayed on the Policy Violations tab when reviewing a report. The Grandfathered filter can be used to limit results to grandfathered policy violations.

Dashboard

Grandfathered policy violations can also be viewed using the filters on the Dashboard. Select the Violation State filter in the sidebar and select the Grandfathered checkbox to include grandfathered policy violations in dashboard results.

PDF Report

The number of grandfathered policy violations appears in the PDF Report under the Scope of Analysis section.

Notification Emails

Notification emails also contain the number of grandfathered policy violations.

Grandfather Policy Violations

Existing policy violations can be grandfathered at the application level. Subsequent evaluations will treat these policy violations as grandfathered, but this action does not perform a new evaluation. This action will only be available if grandfathering is enabled or inherited for the application.

To grandfather existing policy violations for an application:

  1. Click the Organization & Policies icon    on the IQ Server toolbar.
  2. Select the application from the sidebar.
  3. Click the Grandfather <application name> item in the Actions menu.

A modal dialog will ask you to confirm the action before proceeding.

Revoking Policy Violation Grandfathering

Policy violations that have been grandfathered can be revoked to a non-grandfathered state at the application level. Subsequent evaluations (including reevaluations) will include these policy violations if applicable, but existing reports will not change.

To revoke policy violation grandfathering for an application:

  1. Click the Organization & Policies icon   on the IQ Server toolbar.
  2. Select the application from the sidebar.
  3. Click the Revoke All Grandfathered item in the Actions menu.

A modal dialog will ask you to confirm the action before proceeding.