Documentation Nexus IQ Server 1.34

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

24.3. Evaluating an Application

Now that you have the Nexus IQ CLI set up, you are ready to evaluate an application. The application can be an archive file, a directory containing such archives or a Docker image.

As a Java application, it can be started using the java command, and adding the necessary parameters. The syntax below represents the minimum set of options required to evaluate an application.

If the application is an archive or directory:

java -jar [nexus-iq-cli jar] -i [application id] -s [server URL] [target]

For Docker images, there are two approaches. The first approach is to use Docker to save the Docker image as a tar archive. The second approach requires a Twistlock environment.

Use the Docker CLI to save a Docker image:

docker save -o [target] [image name]

Then, evaluate the resulting tarred repository as you would an archive as described above.

To use Twistlock:

java -cp [nexus-iq-cli jar] com.sonatype.insight.scan.cli.TwistlockPolicyEvaluatorCli -i [application id] -s [server URL] --twistlock-scanner-executable [Twistlock scanner executable] --twistlock-console-url [Twistlock console URL] --twistlock-console-username [Twistlock console username] --twistlock-console-password [Twistlock console password] [target]
nexus-iq-cli jar
This is the path to the Nexus IQ CLI jar file e.g. ./nexus-iq-cli-1.34.0.jar.
--authentication
Using the switch -a, enter the user name:password (e.g. MyUserName:MyUserPassword).
[Note]

Authentication will permit (or prevent) the ability to submit an application for evaluation, as well as retrieve the summary results and URL.

--pki-authentication
Delegate to the JVM for authentication.
--application-id
Using the switch -i, enter the application id for your application (see instructions above).
--server-url
Using the switch -s enter the location of your IQ Server (e.g. http://localhost:8070).
Target
This is the path to a specific application archive file, a directory containing such archives or the ID of a Docker image. For archives, a number of formats are supported, including jar, war, ear, tar, tar.gz, zip and many others.
--twistlock-scanner-executable
The path to the Twistlock scanner binary, e.g. /opt/twistlock/twistlock-scanner
--twistlock-console-url
The URL for the Twistlock console, e.g. https://localhost:8083
--twistlock-console-username
The user name used to connect to the Twistlock console.
--twistlock-console-password
The password for the user name used to connect to the Twistlock console.
[Tip]

Listed in the options below, you can specify the specific stage. However, if you do not include this option the system will default to the Build stage.

24.3.1. Additional Parameters

There are several additional options that can be used in the construction of the syntax for evaluating an application with the Nexus IQ CLI.

--fail-on-policy-warnings
using the switch -w will cause a failure of the evaluation if any warnings are encountered. By default, this is set to false.
--ignore-system-errors
Using the switch -e, allows you to ignore any system errors (e.g. IO, Network, server, etc.). This is most helpful when using the Nexus IQ CLI with continuous integration servers, as these errors can cause the unintentional failure of a build.
--proxy
Using the switch -p, you can specify a proxy to use in connecting to the IQ Server. The format is <host[:port]>.
--proxy-user
Using the switch -U, you can specify credentials for the proxy. The format is <username:password>.
--result-file
Using the switch -r, you can specify the name and location of a JSON file that will store the results of the policy evaluation in a machine-readable format.
--stage
Using the switch -t, you can specify the stage you wish the report to be associated with. This is an optional parameter, and if it is not specified, the report will be associated with the Build stage by default.
[Note]

At this time only the Build, Stage Release, and Release stages will display a report in the IQ Server Reports area. For a full list of stages, use the CLI help provided with the tool.

--twistlock-tlsverify
Pass the --tlsverify param to the Twistlock scanner, e.g. "--twistlock-tlsverify false" will pass "--tlsverify=false" to the Twistlock scanner.

24.3.2. Loading Parameters from a File

The parameters can be passed to the Nexus IQ CLI via a file. To do that, you specify the file name prefixed by an @ character, e.g. @some/path/myparamfile.

  • The file uses the JVM’s default character encoding.
  • Parameters specified on the command line can be mixed with parameters specified in a file.
  • There can be any number of parameter files.

Inside a parameter file:

  • Parameter names and their values must be on separate lines.
  • Both short and long parameter names are supported.
  • File paths within the parameter file are relative to the process' current directory, not the parameter file. Absolute file paths are supported as well.