What is Lifecycle Foundation?
This guide is written for users of Lifecycle Foundation, which is a lighter version of Sonatype Lifecycle. A Lifecycle Foundation license provides a subset of IQ Server functionality designed to support a focus on visibility and analysis of open source risk. This lets you focus on assessment, in particular identifying and reporting security risk. You can then get on an upgrade path to a full Lifecycle license when you’re ready for policy enforcement in your DevOps pipeline.
This guide will help:
- IQ Server users (project owners, administrators, and developers) identify the features, and limitations, associated with a Lifecycle Foundation license.
- Project owners and administrators be prepared for a Lifecycle Foundation implementation best suited for their organization.
- IQ Server users discover how they can use Lifecycle Foundation to mitigate risk in their applications.
Licensing and Features
With Foundation, you can:
- Create customized policies for security, license, and quality standards.
- Integrate with existing CI/CD tools.
- Automatically create an application composition report, or a software bill of materials, to visualize risk and policy violations.
- Leverage the Sonatype Intelligence engine to provide remediation guidance including the use of waivers and license overrides.
However, there are some limitations with this license. Lifecycle Foundation does not let you:
- Integrate policy information and remediation guidance in a developer’s IDE.
- Include support for any automatic enforcement of policy like failing a build, or sending alerts, or automatically creating Jira tickets.
- Provide continuous monitoring of applications that are in production, to identify new risk in existing preapproved components.
- Grandfather, or baseline, any existing violations when onboarding new applications.
The following table further outlines the features, and limitations, of a Sonatype Lifecycle Foundation license:
|Software bill of materials||Yes||Yes|
|Integration via webhooks||Yes||No|
As you can see, Lifecycle Foundation has many of the same features as Lifecycle. Any functionality not available with this license appears disabled in the UI, and is inaccessible.
How Can I Use Lifecycle Foundation to be More Secure?
The goal of Lifecycle Foundation is to provide automatic reporting and auditing by leveraging superior Sonatype intelligence. Knowing what’s in your applications will help you determine what you should fix to make them more secure.
Lifecycle Foundation gives you access to the IQ Server policy engine. Policy is what IQ Server uses to identify risk associated with open source, third-party, or proprietary components that may enter your repositories or exist in your applications.
Policies are defined as a set of rules that let you know when certain conditions are met. With Lifecycle Foundation, you can use the provided reference policies, and / or create your own organizational policies, but you do not have access to policy actions (warn/fail), application baseline via the grandfathering feature, or automatic notifications through email or JIRA. You can gain access to these features by upgrading to a full Lifecycle license.
Bill of Materials
With Lifecycle Foundation, you can produce a bill of materials (BOM) via the Application Composition Report. This report represents the health of your application and serves as a point-in-time output of risk associated with components in a specific application. The report includes information on how the application complies with established policies in your organization.
You can also review the health of applications you manage via the Dashboard. The Lifecycle Dashboard lets you apply filters like violations found within a specific stage or policy type. Applying these filters shows you results for the information you need, letting you focus on a remediation plan.
Applying policy and producing a bill of materials is important, but to be secure, you need to address remediation. Remediating risk starts with improved component selection based on data. This data is generally found in the Component Information Panel or CIP, which is available from the Lifecycle Foundation user interface. The CIP displays remediation suggestions with Sonatype’s enriched data and guidance.
While a Lifecycle Foundation license gives you information to start remediating, please note that you will not have access to the more robust remediation of a full license. Features such as developer lead fixing via IDE integration, continuous monitoring of applications, and grandfathering applications are available upon upgrade.