What Are Waivers?
Waivers are a feature of Sonatype Lifecycle and Repository Firewall that prevents certain components from being flagged in scans. They are used when you decide to accept the risk of a policy violation.
It's important to understand that waivers don't make your applications more secure, more stable, or better designed. They also don't eliminate licensing concerns. They simply give you a way to formally accept the risk brought in by a component.
Waiver Use Cases
You'll use waivers when you decide to accept the risk reported in the context of your application. This might be necessary if there is no path forward for a violating component, meaning it can't be updated, switched out, or fixed. Accepting the risk could also be necessary if there's no priority to remediate the issue. For example, remediating the app could be outside the budget, or the app could be a legacy app that won't receive any further development.
You'll also use waivers when a violation can't or doesn't impact your application because of the specific context. For example:
- Your application has a license policy violation, but the application will only be used internally, so the licensing issue doesn't apply
- Your application has an architectural policy violation, but it's a legacy app and the violating component won't or can't be removed
- Your application has a security policy violation, but you've resolved the vulnerability elsewhere in your app
Finally, you'll use waivers when you intend to remediate or otherwise handle a violation but require more time and bandwidth to do so. For example, a developer may estimate that switching out a vulnerable component for a non-vulnerable component will take two weeks. In this scenario, you may choose to waive the violation for two weeks, which both removes the violation from reports during that period (improving the signal-to-noise ratio) and creates a record of the remediation effort that can integrate with your issue-tracking solutions.
Good waiver usage has three primary benefits.
- Improves the signal-to-noise ration of your reports
- Serves as a record of risk that was accepted (and by extension, not accepted)
- Creates a DevOps-focused avenue for discussion between developers and the individuals with waiving privileges