What is Lifecycle Foundation?
This guide is written for users of Lifecycle Foundation, which is a lighter version of Nexus Lifecycle. A Lifecycle Foundation license provides a subset of IQ Server functionality designed to support a focus on visibility and analysis of open source risk. This lets you focus on assessment, in particular identifying and reporting security risk. You can then get on an upgrade path to a full Lifecycle license when you’re ready for policy enforcement in your DevOps pipeline.
This guide will help:
- IQ Server users (project owners, administrators, and developers) identify the features, and limitations, associated with a Lifecycle Foundation license.
- Project owners and administrators be prepared for a Lifecycle Foundation implementation best suited for their organization.
- IQ Server users discover how they can use Lifecycle Foundation to mitigate risk in their applications.
Licensing and Features
Lifecycle Foundation is available in IQ Server release 60 and up. The following licenses are available:
- Lifecycle Foundation
- Lifecycle Foundation + Firewall for Nexus Repository Manager
- Lifecycle Foundation + Firewall for Artifactory
With any of the Lifecycle Foundation licenses, there are many features available. With Foundation, you can:
- Create customized policies for security, license, and quality standards.
- Integrate with existing CI/CD tools.
- Automatically create an application composition report, or a software bill of materials, to visualize risk and policy violations.
- Leverage the Nexus Intelligence engine to provide remediation guidance including the use of waivers and license overrides.
However, there are some limitations with this license. Lifecycle Foundation does not let you:
- Integrate policy information and remediation guidance in a developer’s IDE.
- Include support for any automatic enforcement of policy like failing a build, or sending alerts, or automatically creating Jira tickets.
- Provide continuous monitoring of applications that are in production, to identify new risk in existing pre- approved components.
- Grandfather, or baseline, any existing violations when onboarding new applications.
The following table further outlines the features, and limitations, of a Nexus Lifecycle Foundation license:
|Software bill of materials||Yes||Yes|
|Integration via webhooks||Yes||No|
As you can see, Lifecycle Foundation has many of the same features as Lifecycle. Any functionality not available with this license appears disabled in the UI, and is inaccessible.
Figure 1: Various areas of Lifecycle Foundation are inaccessible, including IDE integration, notifications, webhooks, policy enforcement, grandfathering, and continuous monitoring.
How do I prepare for a successful implementation?
The basic setup for Lifecycle Foundation is to purchase a license and then install IQ Server. Once you have your license, we recommend checking out the Getting Started guide in our help docs to see steps you can take for a successful Lifecycle Foundation implementation.
How can I use Lifecycle Foundation to be more secure?
The goal of Lifecycle Foundation is to provide automatic reporting and auditing by leveraging superior Nexus intelligence. Knowing what’s in your applications will help you determine what you should fix to make them more secure.
Lifecycle Foundation gives you access to the IQ Server policy engine. Policy is what IQ Server uses to identify risk associated with open source, third-party, or proprietary components that may enter your repositories or exist in your applications.
Policies are defined as a set of rules that let you know when certain conditions are met. With Lifecycle Foundation, you can use the provided reference policies, and / or create your own organizational policies, but you do not have access to policy actions (warn/fail), application baseline via the grandfathering feature, or automatic notifications through email or JIRA. You can gain access to these features by upgrading to a full Lifecycle license.
Bill of Materials
With Lifecycle Foundation, you can produce a bill of materials (BOM) via the Application Composition Report. This report represents the health of your application and serves as a point-in-time output of risk associated with components in a specific application. The report includes information on how the application complies with established policies in your organization.
You can also review the health of applications you manage via the Dashboard. The Lifecycle Dashboard lets you apply filters like violations found within a specific stage or policy type. Applying these filters shows you results for the information you need, letting you focus on a remediation plan.
Applying policy and producing a bill of materials is important, but to be secure, you need to address remediation. Remediating risk starts with improved component selection based on data. This data is generally found in the Component Information Panel or CIP, which is available from the Lifecycle Foundation user interface. The CIP displays remediation suggestions with Sonatype’s enriched data and guidance.
While a Lifecycle Foundation license gives you information to start remediating, please note that you will not have access to the more robust remediation of a full license. Features such as developer lead fixing via IDE integration, continuous monitoring of applications, and grandfathering applications are available upon upgrade.
For more information, please see the Getting Started with Remediation technical guide.
NOTE: The Getting Started with Remediation guide is based on a full Lifecycle license. Certain features (policy actions, notifications, grandfathering, etc.) are not accessible with a Foundation license.
Talk to Us
If you’re ready to upgrade to a full Lifecycle license, please contact Sonatype Support.
And visit my.sonatype.com for all things Sonatype.