Lifecycle Dashboard Concepts
It’s very easy to succumb to routine, especially when it comes to technology. The same could be said when you use Sonatype Lifecycle to monitor the health of your applications. After logging in, you might glance at the dashboard’s list of violations before muscle memory whisks you away to the parts of the tool you use most often. However, it’s never too late to stop and smell the virtual roses.
Lifecycle’s dashboard is a powerful and flexible tool, providing a multi-faceted view of your data and offering unparalleled insights into your applications. Think of the dashboard as a multi-paneled wall of TV screens that provides different channels of information with the latest updates. Regardless of how you specifically use the dashboard, all users should set a regular cadence for reviewing their apps’ health to gauge remediation activity and assess their overall risk standing. Even if you are scanning automatically every day using a Lifecycle integration, making time to review the actual dashboard is still a worthwhile practice.
Now, let’s dive into some of the more typical use cases for Lifecycle’s dashboard.
Note
As you may have noticed, there are several features that are common across multiple tabs on the dashboard, including the following:
Filtering - Regardless of which tab you are viewing, all displayed violation data can be filtered to your liking.
Exporting data - The displayed violation results are limited to showing only the first 100 items. To view a complete list, you can export the data to a CSV file. In many cases, exporting your data will also return additional fields of information, too.
Sorting results - Similar to the filter feature, regardless of which tab you are viewing, all data columns can be sorted. For instance, if you prefer a column to be sorted in descending order, simply click the column heading, and the data will adjust accordingly.
Truncated list display - Each tab on the dashboard shows only the first 100 results of that tab’s data. However, there often may be more than 100. Sonatype Lifecycle intentionally caps the displayed list at 100 in order to keep server performance robust and to limit the impact of large instances.
Note
If you need to delete a stale waiver, the only way to do so currently is through the Stale Waiver REST API. Sonatype is aware of this problematic user experience and is working to resolve it so that you can delete such waivers from within the waiver’s details view.
To start, here is a chart that serves as an overview of what is discussed in more depth below.
Use Cases and Workflow –Sonatype Lifecycle Dashboard | |||
1 – Prioritizing & Remediating Your Risk | 2 – Auditing your Overall Risk | ||
Violations Tab |
| Violations Tab |
|
Components Tab |
| Components Tab |
|
Applications Tab |
| Applications Tab |
|
Waivers Tab |
| Waivers Tab |
|
Use Case #1: Prioritizing & Remediating the Risk You Find
This is the most common way customers use the Lifecycle dashboard — to identify and prioritize their applications’ risk. While viewing individual scan reports is insightful, it isn’t very time-efficient. Instead, let us guide you in strategically using the dashboard’s four tabbed views to extract specific pieces of data about your applications’ risk. This will help you maximize the efficiency of your work, allowing you to dive directly into remediation efforts.
Workflow (by dashboard tab)
Violations Tab
After logging in, you see the default dashboard view, the Violations tab. As the name suggests, this is a list of the latest policy violations across all of your applications (typically what has manifested over the past few days). Admins typically use this view to proactively monitor their entire application portfolio to prevent breaking builds.
You may be saying “Okay, but it’s just a list to sift through…what more could there be?” The answer lies with the filter button in the upper right corner of the dashboard. The filter options dropdown is your key to whittling that larger, general list of recent violations into precisely the information you need. For example, if you want to see only a list of violations from:
The finance-related application
Within your “Cats and Dogs United” organization
That occurred only in the Build stage
Within the past 24 hours and
That is labeled as a 7 or higher threat level…..
Check the applicable checkboxes, and voila! Plus, here’s a cool feature – if you anticipate needing to run a specific set of filter options on your violations list again in the near future, you can save it for later access in the top dropdown of the filter window.
The filter feature is consistent across each of the tabbed views, meaning when you filter one tab of data, you are actually filtering all of the tabs in order to extract the same information. There are some tab-specific filters, though. The option that allows you to filter based on waiver expiration is an example. If a tab-specific filter is applied, it will not impact the information presented on the other tabs.
Components Tab
The Components tab lists the 100 highest-risk components across all of your applications. Right off the bat, the first column, Apps, tells you how many of your apps contain the flagged component. You can then take this list and, if you’d like a nomination for “Colleague of the Year”, use it to proactively help your team by identifying any upgrade paths. This does the heavy lifting for the team so they can simply substitute the preferred version. Talk about time-savings. The columns that follow identify the component’s aggregated risk, as highlighted by a heat map feature. The darker the box color, the higher its aggregated risk. You may be asking “What does ‘aggregated risk’ mean?”. We use this phrase to refer to the total amount of risk a component brings across all stages and levels of your organization. This number represents the degree to which that component impacts your overall hierarchical structure and can help you prioritize where to begin your remediation efforts.
Applications Tab
Similar to the Components tab, the Applications tab uses a heat map to highlight the applications in your portfolio with the highest aggregated risk to help you focus your remediation-prioritization efforts on an application basis. Again, the darker the color of the “Total Risk” box, the higher the risk of the overall application. Use this information to identify which of your applications need prioritized attention; address the risk associated with the darker-colored “Total Risk” boxes first and foremost. Then, after you have a remediation plan in place for those applications, you can focus on the next ones in the color-risk-spectrum hierarchy (darkest to lightest = higher risk to lower risk).
Waivers Tab
The Waivers tab was created with proactive, mindful monitoring in mind. Many users may use this tab simply to view a list of their current policy waivers. However, there are other things to know about this tab that can aid in your prioritization and remediation efforts:
Filter the list of waivers by expiration date to identify those that will soon expire. This will help you maintain a seamless process of waiver renewal or at least determine which waivers can passively expire. This is great if you’re someone who loves to plan ahead.
The scope of a waiver is included for the application, organization, and root.
A violation can have more than one waiver in place.
Stale waivers – those that are still active but that do not currently have any components in scope – remain visible no matter what. This means that, if a component ever falls within the waiver’s scope, the waiver will automatically be applied to that component.
For Sonatype Firewall users, the waivers tab shows waivers scoped to repositories.
Use Case #2: Auditing Your Overall Risk
Another customer use case for the Lifecycle dashboard is using it to audit the organization’s open-source risk. They seek a birds-eye view of how their organization’s risk has changed – for better or for worse – since the last time they looked. This involves reviewing their applications’ latest policy violations and managing their existing and soon-to-expire policy waivers. As with the previous use case, we will explore each dashboard tab and demonstrate how they can help you in this endeavor.
Workflow (by dashboard tab)
Violations Tab
The Violations tab offers the ultimate “birds-eye view” on the IQ dashboard. It shows a list of all violations across all of your apps, ordered by severity level as the default. You are presented with a list of the first 100 highest-risk violations in your application portfolio. Again, if you want to view the entire list (i.e. beyond the first 100), you can export it as a CSV file by clicking the link in the upper right portion of the dashboard. You have flexibility in how you view this list since each column here is sortable. In other words, if you’d rather see the violations listed in descending order of age, simply click that column’s heading. Each violation line can be viewed in more detail, of course, by double-clicking on the applicable violation row.
Components Tab & Applications Tab
The Components tab and the Applications Tab both present their data in the same way – through a color-coded heat map where the darkest color indicates the greatest aggregated risk. From this higher-level view, you can quickly see which specific components pose the greatest risk to your applications. You can also see the number of applications that are affected by that specific component, which indicates how widespread the risk caused by that component is.
Similarly, the Applications Tab shows you a list of all of your applications, ordered by the most risk-laden among your application portfolio. The heat map indicator is also used here to identify (by a block’s color saturation) which of your applications has the highest aggregated risk (see what we mean by “aggregated risk” above in the components tab portion of the first use case).
Waivers Tab
The Waivers tab offers a similar birds-eye view but shows specifically the waivers you currently have in place. By using the filter options, you can also extract information such as the following:
Expiring waivers
Stale waivers
Overly broad waivers where the scope is set higher than it should be
Waivers without an upgrade path
Permanent waivers
Other waiver-related details that are helpful when auditing your overall risk include seeing who is adding waivers, assessing the completeness of a waiver (i.e. are the necessary details provided and are those details well documented?), and checking on whether all waivers are still applicable. All in all, when auditing your overall risk, this is yet another dashboard view that provides quick insight into where your applications stand with risk.
Conclusion
Is your mind spinning with delight over the myriad ways you can utilize the Lifecycle dashboard? Depending on whether you use the dashboard to gain a larger, birds-eye view of your applications’ risk or, instead, you need to find specific details about a component or application’s risk, the dashboard is the ace in your pocket. Between the rich and robust filtering capabilities to the heat map visualization of your aggregated risk, you may find that disrupting your muscle memory's normal path could lead you to discover parts unknown in your quest to keep your apps at their healthiest.