Documentation Nexus IQ Server 1.34

Our documentation site has moved. For the most current version, please see

Chapter 23. Sonatype CLM for SonarQube


The topics discussed in this chapter require IQ Server with the Lifecycle license.


The rebranding and renaming of Sonatype CLM to Nexus IQ Server started with the 1.17 release. You may still see references to Sonatype CLM in the product or documentation. We realize this may cause some confusion, and appreciate your patience as we move forward.

IQ Server integrates with a wide range of external enforcement points that include continuous integration servers (Hudson/Jenkins, Bamboo, the CLI and Maven), the IDEs (Eclipse and IntelliJ IDEA), and repository management (Nexus).

The enforcement points are a common aspect of the development lifecycle, and in IQ Server, each represents a unique stage. This creates an invaluable integration of IQ Server with industry standard tools that already make the lives of your business and development process even better. This also means, your team has greater overall control in identifying and reducing open source component risk.

Better component usage doesn’t just lead to risk reduction though, it also leads to better applications. This is something that ties closely with code analysis, and tools such as SonarQube.

As a user of SonarQube, you know first hand the impact that principles such as the 7 Axes of Code Quality can have on the applications and projects your teams create. Paralleling this, as a user of IQ Server you also know how policy management is a critical and essential part of open source component usage.

Sonatype CLM for SonarQube brings both of these together, and in this chapter we’ll cover everything you need to get going as quickly as possible. This includes:

  • Download, installation, and configuration
  • Application Composition Report access

Figure 23.1. SonarQube Overview


See the Requirements Chapter for information on Sonatype CLM for SonarQube supported versions.