Logo Sonatype CLM Sonatype CLM - CI User Guide
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM - CI User Guide

3.4. Setting Up the Scanner in Your CI

We won’t be covering a specific CI here, but in general, all you need to identify (in your CI), is the location for adding a build step that includes processing a simple shell script during the building of your application.

Once you are there, make sure your script calls the CLI scanner using the following syntax:

java -jar [ScannerJar] -i [AppID] -e [IgnoreSystemErrors] -w [FailOnPolicyWarning] -s [ServerURL] [Target]

Each of the areas in the syntax above have been described in more detail below.

ScannerJar
the path to the Sonatype CLM Scanner jar file e.g. ./sonatype-clm-scanner-1.7.0-02.jar
AppId
the application identifier determined in Section 3.3, “Locating Your Application Identifier”
IgnoreSystemErrors
an optional feature that will allow you to continue a build even if the CLM scanner encounters an error (e.g. the CLM server can’t be contacted).
FailOnPolicyWarning
an optional feature that allows you to fail a build if a policy triggers a warning alert. (Policy error alerts always fail the build.)
ServerUrl
the URL of your Sonatype CLM Server e.g. http://localhost:8070
Target
the path to a specific application archive file or a directory containing such archives. Archive files in a number of formats including jar, war, ear, tar, tar.gz, zip and many others are supported for scans.

Tip

In addition to the functionality described here, the stand-alone scanner, can be used to scan applications directly from the CLI. To access help content for the scanner run scanner without supplying parameters: java -jar ./sonatype-clm-scanner.jar

Given a typical setup, your syntax, including all available options will likely look similar to this:

java -jar /scanner/sonatype-clm-scanner.jar -i tester123 -s http://localhost:8070 ./target/sample-app.war

Now, when your application is built, the build step you have added will call the stand-alone Sonatype CLM scanner, scan your application, and upload results of the latest scan to Sonatype CLM Server. By default this will be placed below the build column in the Reports and Application area on the Sonatype CLM Server, for your application.

Note

We advise you to use a separate application identifier for each of your unique applications. Using the same application identifier will result in report results being overwritten each time an application is built. While this is always the case, matching the latest scan to the right application can prove difficult.