Re-Evaluating a Report
At the top right-hand corner of your Application Composition Report is a button labeled Re-Evaluate Report. This button allows users to quickly test new Policy configurations.
 |
Re-evaluating means that the existing vulnerabilities and waivers in the report (generated when the application was scanned) will be evaluated against the current Policy set.
A re-evaluated report will reflect changes in the Policy set.
For example, if you create a new Policy, and then click Re-Evaluate Report, Lifecycle will check for violations against that Policy and include them in the report, if any.
Keeping Records
Re-evaluating a report overwrites that report's metadata with the new results. This means that the original report and the re-evaluated report could become inconsistent. Repeated re-evaluations can exacerbate the discrepancy.
Reports can serve as records of your application's contents at a specific point in time. If this kind of record-keeping is important to your organization, then avoid re-evaluating your reports outside a testing or sandbox Application.
Re-evaluating vs. Re-scanning
The Re-Evaluate Report button is not a new scan of your application. It will not report new vulnerability data from Sonatype.
Re-evaluation compares the original scan data with the current policy and waivers for changes.
You need to re-scan your application to get new vulnerability data.
If you need to re-scan :
Wait for your next CI build, if you're integrating with CI/CD tools like Jenkins.
Re-scan the application manually using the Sonatype IQ CLI.