IQ for Developers 101 - Organizational Policies

Overview

Goals

This course describes organizational policies in IQ Server, and how they are used to determine and report vulnerabilities in your Open Source Software (OSS) components.

Learning Objectives

By the end of this course, you will be able to:

  • Differentiate between four main types of policies in Nexus IQ

  • Define various matches that result from the “other” policy type

  • Interpret each element of a policy

  • Describe the sections of the Application Composition Report

    • Define the sections of the Summary tab

    • Describe the data in the Policy Violations tab

Prerequisites

IQ for Developers 100 - Foundations

Target Audience

The target audience for this course includes developers, software engineers, and anyone who wants to learn more about how to interpret IQ server policies and the vulnerabilities detected by them.

System Requirements

There are no system requirements for this course.  However, if you wish to learn more about the system requirements for using Nexus IQ, that is documented here:

https://help.sonatype.com/iqserver/product-information/system-requirements   

Setting Expectations

For the purpose of this course, we will discuss IQ server’s set of reference policies, which are those ‘out-of-box’ policies.  While these out-of-box policies are very good and many of our customers use as-is, other organizations create their own policies.  Your organization may have policies other than those in this course. Consult your legal team.

Questions for Reflection

Complete the following activity.  There are no right or wrong answers, just a few questions for reflection before you learn more about the benefits of IQ Server.

Activity:

1.In your current process, what are some of the defined traits of a bad component?  How do you know the level of risk involved with that component?






2. What types of vulnerabilities should you avoid when selecting OSS components?





3. Do you currently have a streamlined process for constant monitoring of open source vulnerabilities in your applications?

    • If not, what are some ways that might benefit you and your organization?

    • If so, how might that be improved for faster, more accurate notification?