Nudges and Anomalies
The Nudges and Anomalies Insight provides metrics about Sonatype Lifecycle platform usage. The goal is to reveal patterns and trends in your overall remediation efforts through a set of simple and informative data cards. You can reference the cards live or download them into an external report.
The Nudges and Anomalies insight supports a number of outcomes.
- Executive sponsors need easy-to-read information to ensure that the organization is complying with open-source governance policies.
- Comparing your existing metrics to Sonatype's recommendations allows you to identify areas for improvement and support good habits you already have.
- Undesirable results can help you affect change in your organization and track efforts to improve.
What these outcomes have in common is that the closer you align to our best practice recommendations, the more value you'll see from the platform.
This data may change or become unavailable without notice.
To see the Log4j Analysis on your IQ Server, you'll need to be a Lifecycle customer.
Click the cogwheel icon in the top right-hand corner of the browser UI, then click Data Insights at the bottom.
You'll be brought to the Data Insights landing page. Click Nudges and Anomalies on the left.
Reading the Cards
The cards are sized identically and follow the following format:
- Card title
- Change in metric
- Alignment to industry best practice
- Details behind the measurement
As this insight is developed, the goal is to color-code the cards so that
Use the Print/Download button at the top right to save it as a PDF.
Cards in the Deck
|Card title||Description||Best Practice|
|App Management||Change in the number of new applications during the period||A reduction in the number of new applications could indicate a stalled effort with onboarding teams.|
|Scanning Rate||Scanning frequency of applications per month||Scan applications regularly to have up-to-date risk information. Exemplars scan their apps 20x or more per month.|
|Scanning Coverage||Percentage of total apps scanned at least once/week||Exemplars scan at least 90% of their onboarded apps at least once per week. Configure Continuous Monitoring for applications that are not built at least once a week.|
|Risk Ratio||Average number of applications with critical violations||Exemplars have a risk ratio below 10. A high ratio is a sign that technical debt tickets are not in balance with new development. The budget for an increased focus on reducing technical debt.|
|Fixing Rate||Change in applications with critical violations||New violations are common, but the average risk should decrease during the period when teams are actively remediating. Deferred violations should be waived until they can be addressed to avoid noise in scan reports.|
|Backlog Rate||Percentage ratio of fixing rate divided by discovery rate||When the backlog rate is below 100%, violations are discovered faster than they are fixed.|
|Discovery Rate||Average critical violations discovered per app / month||Chose new components without violations when possible. Upgrade to newer versions without critical violations.|
Some or all of these cards may not be visible to you. This is expected behavior. Data for cards is generated through a combination of your scans and scanning behavior and Sonatype's own data ingestion process. If you don't see a card or cards, it's likely that your installation has a combination of data (or lack thereof) that does not allow your IQ Server to display this insight. Usually, the best solution is to continue scanning as normal and check the Insight at a later date.