Upgrading components within your project can be a tricky process. DevOps, AppSec, and legal teams need to consider multiple variables before upgrading:
Does the new version of this component pose a threat to my project's security?
What is the highest policy threat in this new version?
Is the component compliant with my organization’s legal policies?
Since each variable has serious implications for the overall health of your software development life cycle (SDLC), making the correct decision could determine whether or not you're at risk from cyber attacks. Worse, the weight of these decisions can stall development and add dev-hours spent looking into proper remediation.
Sonatype's mission is to help you assemble applications with the highest quality components. We empower our users to make better, factually-informed decisions that keep their development pipeline safe and secure.
With the latest version of Sonatype Lifecycle (Release 128), we've added new development, security, and legal enhancements, as well as a revamped component remediation experience, aimed at reducing friction across the SDLC.
The new Component Details page (pictured below), greatly improves usability and access to information. It includes the Component Information Panel (CIP), pulling intelligence distributed throughout Sonatype Lifecycle into a single, easily accessible interface.
Component Details page
For policy violations, we have reduced clicks to find important component information from eight to one. This speeds up the remediation process by providing all of the information necessary to research, prioritize, and resolve violations.
The Version Explorer that highlighted popularity, breaking changes, and policy threats for a given component is now the Compare Versions table. This improved view allows comparisons of current component versions to a selected or desired version. This level of detail in an apples-to-apples comparison of your components is a first within the market.
Application security and development teams can now quickly evaluate crucial variables on highest policy threat, highest Common Vulnerability Scoring System (CVSS) score, license version threat, integrity rating, and more, as shown in the image above. This will save application security and development teams hours of time spent evaluating component packages.
In addition to the new Component Details page, we have also added dedicated tabs for our legal users. This helps the many teams involved in developing an application or keeping their companies safe with Sonatype Lifecycle. Within the new Legal tab (pictured below), you can review detected licenses for effective, declared, or observed licenses, and review all legal policy violations.
Legal tab flagging software license issues
This view will allow teams to quickly understand what type of legal policy/action violations are currently active in the project, the specific violation issue, and then view steps to remediate.
The new Security Tab (pictured below) also has some exciting additions, starting with a table to review threats and the danger they pose. Users can scan any security violations found in your project to evaluate threat level, policy/action, name of constraint, and condition (pictured below).
Security tab with problem codes
The new Security Tab is particularly useful for DevOps Engineers that work with development teams around upgrading and addressing risk in new component violations. Application Security Engineers will get help finding problems and more easily work towards vulnerability remediation and management.
The newly designed Component Details page is aimed to increase the awareness of vulnerable components for our Sonatype Lifecycle users. The consolidated information makes it easier to review and assess component risk disposition across applications.
The more awareness around your violations - associated components, violation severity, etc. - the easier it is to reduce overall business risk.
This feature enhancement is available now to all Sonatype Lifecycle Customers in the latest version (128 or higher).
More information on this release.