In this Guide
- Why Policy-Oriented Reports?
- What’s in the New Report?
- Additional Resources
The IQ Server team has redesigned the Application Composition Report in a way that highlights policy results as the core of the report. Focusing on policy summaries and details helps you and your team concentrate on remediation and reducing risk, ensuring that you’re getting the most out of your IQ Server implementation.
Policy Focused Application Report Overview Video
Use Case 1: Dev Remediates Highest Offender
Use Case 2: Dev Requests a Waiver
Use Case 3: IQ Project Owner Applies Waivers
Use Case 4: Evaluate License Policies
Existing and new IQ Server users who access the Application Composition Reports.
This includes C-level executives, security professionals, legal professionals, DevOps professionals, and software development teams.
By the end of this guide, you’ll be able to:
- Explain why the report was redesigned with a focus on policy that helps you easily identify policy breaches and understand their impact on your software supply chain.
- Know where things are located in the new report, and understand how this information is driven by your organization’s security strategy.
The new report is be available in release 65 of the IQ Server.
Why Policy-Oriented Reports?
The main driver behind the report redesign is a focus on policy. Policy at the center of the report lets you easily identify remediation effort as it aligns with your corporate security and license policy. Through customer research, the IQ Server team found that the old report focused too heavily on security and licensing data, rather than policy. Using that kind of data for analysis is a manual process, and makes remediation difficult.
The new report lets you easily answer the question “What policy violations occurred for this evaluation?”
Definitively identifying policy violations in the report, aligned with your corporate security practices, helps drive remediation of security and license violations. Although policy is now the focus, the new report still retains license and security raw data that you can use to confirm accuracy and ensure your policy is working.
What’s in the New Report?
Now that you understand the value of increased policy compliance focus, next we’ll go over what you’ll see in the new report.
|Summary: Shows you the report title, date, and high-level statistics on violation counts, identified component counts, and grandfathered violation counts.|
|Policy Violations table: This is the new summary screen. You’ll notice that it still shows the number of components identified, the number of violations, and the number of grandfathered policy violations. However, the rest of the summary screen from the legacy report has been replaced with policy-specific information. We’ve also removed some noise like popularity, age, and release history, to help you focus on the policy.|
|Aggregation: This feature is the same as the Summary vs. All views in the old report. By default, results are aggregated by component, letting you see a single component on its own line. An important difference in aggregation is around indicators for components with grandfathered and waived violations. The old report doesn’t show these indicators when aggregated by component. In the new report, when you aggregate and the component has no violations due to grandfathering or waiving, the indicator(s) display. This is important because it shows that there are no violations due to waiving or grandfathering, not because it is a truly safe component.|
|Filters: The new filters section is very similar to what we have in the dashboard. You can filter by policy type, violation state, component match state, or policy threat level. Filters are a powerful feature within the report that let you easily identify and hone-in on certain conditions. For example, to see a holistic view across all policies, you can set the policy threat level to the highest score. Or if you want to concentrate on security violations, select Security from the Policy Type filter. If you’re interested in reviewing the validity of waived risk, selecting Waived from the Violation State filter will let you see and reassess all of your waived violations. Finally, you can use the table filters to concentrate on specific policy names or components.|
|Reevaluate button and Options menu: The re-evaluate button works the same in the new report as it did in the old one — meaning it takes the data at time of analysis from the report’s existing list of components and reevaluates it against your application policy. The options menu is where you can generate a PDF copy of the report. This is also where you can access raw data for components, security, and licenses. This raw data replaces the two views that are in the old report. You can use this information to verify and check the validity of the report.|
For more information on the updated report, please see our Application Composition Report help documentation.
Prior to the changes outlined above, the IQ Server team first completed a redesign for a policy-centric version graph in the Component Information Panel, or CIP. This is already released and officially in production, but is still an important step in this process.
Earlier versions of the CIP showed vulnerabilities and licenses, but contained no information about policy. In the new CIP, each version of every component in the report runs against the policy for a given application. This results in a version graph that displays a component’s selected version information based on your organizational policy.
Along with the updated version graph, the CIP contains the same information as in old reports, but it is now displayed in a modal window. There are also new next and previous buttons that let you navigate up and down through all your entries.
The Component Info section is a great place to start planning remediation activity. The Highest Policy Threat field, located on the left side of the panel, displays the highest threat level policy that has been violated, as well as the total number of violations.
Next, you should take a close look at the graph to the right of the panel. On the heatmap, locate the row for Policy Threat. This graph displays the highest policy threat levels for each version across all policy types, with the current version identified as This Version. A breakdown of the highest policy threats for each policy type can be displayed by clicking on the Details link.
Focusing on the release graph is the simplest remediation path because it lets you easily find and upgrade to a component version better aligned with your organization’s policy. If updating isn’t an option, your next step is to focus on the Policy tab and ask for a waiver.
The IQ Server team appreciates your feedback on the new policy-centric application report. Head over to the Policy-Centric Application Report Feedback and Discussion forum in the Sonatype Community to let us know what you think about this feature enhancement.
To provide feedback on this article, or sign up to receive email alerts when new educational material is published, contact the Sonatype Customer Education team.
Other questions or comments? Learn more at my.sonatype.com.