Resources Blog Smarter policy and advanced component search with Sonatype ...

Smarter policy and advanced component search with Sonatype Lifecycle updates

In March 2022, we talked about improvements to the Sonatype Lifecycle policy tools and waivers. This month we've taken another step forward with better policy and waiver controls. This update helps development teams manage open source software components more easily across their projects.

Sonatype Lifecycle improves your development pipeline with management tools that enhance quality and speed delivery, all at scale. This release goes beyond Sonatype Lifecycle's advanced reporting to enhanced searching, and makes policies even more flexible within your existing development tools.

Customized policy

Sonatype Platform helps ensure that teams are only using the safest and most legally compliant software components, but flexibility is key. Different teams inside your organization have different risk profiles that may justify unique policies.

Just about every organization has a diverse set of projects ranging from internal tools that don't see the light of day, to crucial software exposed to the internet. For mission-critical application teams, smart and effective security notifications are part of the process. If those same notifications and policy enforcement are applied to internally accessed applications in use by small teams, it could unnecessarily delay releases.

You need smarter software that reacts to your team’s needs and requirements.

Policy enforcement override

Sonatype Lifecycle now lets you override corporate policy settings when onboarding new projects to adapt policy enforcement to those specific projects. While providing this flexibility, policy waivers provide all necessary tracking to make sure that the right controls are maintained and nothing crucial is missed.

Policy Enforcement Override will enable customers to onboard applications at scale, while continuing to build software. You can choose to inherit some or all of the base controls, including current waivers and license standards (pictured below).


Sonatype’s Policy Override configuration screen

More controls for security waivers

While Sonatype Lifecycle automates many features of the development process for better open source security, some decisions are fully human. The best software tools flag issues for developers within their workflow but without making demands. This keeps development teams in the driver's seat, for example when a problematic software component:

  • Is used within a carefully controlled environment
  • Has no real alternative

With Sonatype Lifecycle, security teams can permit developers to make exceptions, or Waivers, to set aside security and license alerts.


Example violation Waiver

Option to Waive All Versions

Teams can now create waivers not just for a specific release, but all versions. Current customers can access this by selecting All Components from the Add Waiver screen inside Sonatype Lifecycle, as below.


Add waiver screen with the new "All Components" option

Waivers can still be issued for a limited time to ensure they are reviewed again, but a waiver can be created without expiration if necessary.


Screenshot of available Waiver timeframes

This helps address vulnerabilities in necessary component software that cannot be remediated. Waive All Versions helps developers by:

  • Reducing distractions for known issues
  • Freeing up energy spent on managing waivers for also-vulnerable versions

More on Sonatype Lifecycle Enhanced Policy Waivers

Advanced search enhancements

During the Log4Shell incident, security leaders wanted to quickly identify every instance of the Log4j component, including safe versions. To address this need, Sonatype Lifecycle's search tool now finds all components in your development lifecycle, not just those marked with a vulnerable status.

Other benefits to better search:

  • Improve maintainability - showing developers what components the organization is already using
  • Software categories - look at all software used in (for example) telemetry, logging, or authentication
  • Resolve compatibility issues - find and resolve beyond just violations, looking at compatibility, less-than-ideal licenses, or yet-to-be-published CVEs


Advanced search prompt screen with available search tags


Search results view for the "Bouncy Castle" vulnerability

Customers can also export search results to a standard comma-separated spreadsheet. This can enable internal component audits, sharing with other teams, or creation of a software supply chain management checklist.


Export results option

More information and a demonstration of Advanced Search functionality from is in the video below:

"Have you Heard" Advanced Search video.

All this functionality will be released in version 140 in early July, with the Release Notes updated upon release.

About Sonatype Lifecycle

Sonatype Lifecycle is a complete software supply chain management solution that works within your development pipeline. It empowers developers to find and fix open source security vulnerabilities at every stage of the software development life cycle (SDLC). Request a demo today for Sonatype Lifecycle.

Picture of Chris Good

Written by Chris Good

Chris is a Product Marketing Manager with Sonatype. Originally from Pittsburgh, PA, Chris studied Communications and Computer Science at the University of Pittsburgh. He enjoys working for Sonatype because of the culture here at the company -- it's diverse and promotes creativity. When he's not working with DevSecOps community, he loves snowboarding, cycling, and traveling.