The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
The evaluate goal scans the dependencies and build artifacts of a
project and directly submits the information to a Sonatype CLM Server
for policy evaluation.
If a policy violation is found and the CLM stage is configured to Fail,
the Maven build will fail. If invoked for an aggregator project,
dependencies of all child modules will be considered.
The evaluate goal requires the Sonatype CLM Server URL as well as
the application identifier to be configured. Optionally a CLM stage can be
configured.
The command line arguments are
-
clm.serverUrl - the URL for the CLM server, this parameter is required
-
clm.applicationId - the application identifier for the application to run policy against, this parameter is required
-
clm.resultFile -
the path for specifying the location of a JSON file where the following information will be stored:
- applicationId : Application ID
- scanId : Organization ID
- reportHtmlUrl : URL to the HTML version of the report
- reportPdfUrl : URL to the PDF version of the report
- reportDataUrl : URL to the Data version of the report (for use via CURL, or similar tool)
-
clm.stage -
the stage to run policy against with the possible values
of
develop,build,stage-release,releaseandoperatewith a default value ofbuild. -
clm.additionalScopes -
the additional scopes you would like CLM to include
components from during the evaluation. Values include
test,provided, andsystem. In cases where you want to include more than one of these, separate the list using a comma (see examples below).
An example invocation is:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.additionalScopes=test,provided,system -Dclm.applicationId=test -Dclm.serverUrl=http://localhost:8070
You can avoid specifying the parameters on the command line by adding
them to your settings.xml or pom.xml as properties.
<properties>
<clm.serverUrl>http://localhost:8070</clm.serverUrl>
<clm.applicationId>test</clm.applicationId>
</properties>
Alternatively the invocation can be configured in a pom.xml file:
<build>
<plugins>
<plugin>
<groupId>com.sonatype.clm</groupId>
<artifactId>clm-maven-plugin</artifactId>
<version>2.1.1</version>
<executions>
<execution>
<goals>
<goal>evaluate</goal>
</goals>
<phase>package</phase>
<configuration>
<serverUrl>http://localhost:8070</serverUrl>
<stage>build</stage>
<applicationId>test</applicationId>
<additionalScopes>test,provided,system</additionalScopes>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
Sonatype CLM for Maven can be executed against an aggregator
project. When executed in an aggregator project, it calculates the
dependencies and transitive dependencies of all child modules and
takes all of them into account for the policy evaluation. It advisable
to set the inherited flag for the plugin to false to avoid
duplicate runs of the plugin in each module.
![[Caution]](images/icons/caution.png){kind=icon}
|
|
|
When bound to a lifecycle in a multi-module build, the plugin will take all dependencies of the Maven reactor into consideration for its analysis and not just the dependencies of the current module. |
The evaluate goal logs its activity and provides the location of the
generated report.
[INFO] --- clm-maven-plugin:2.1.1:evaluate (default) @ test-app --- [WARNING] Goal 'evaluate' is not expected to be used as part of project lifecycle. [INFO] Starting scan... [INFO] Scanning ../repository/org/codehaus/plexus/plexus-utils/3.0/plexus-utils-3.0.jar... [INFO] Scanning ../repository/org/apache/maven/maven-settings/3.0/maven-settings-3.0.jar... [INFO] Scanning target/test-app-1.0-SNAPSHOT.jar... [INFO] Saved module scan to /opt/test-app/target/sonatype-clm/scan.xml.gz [INFO] Uploading scan to http://localhost:8070 ... [INFO] Evaluating policies... (ETA 5s) [INFO] Policy Action: None Summary of policy violations: 0 critical, 0 severe, 0 moderate The detailed report can be viewed online at http://localhost:8070/ui/links/application/test/report/f4582a1570634dc2ac8
After a successful build the report can be accessed in the Sonatype CLM server under the application that was configured. A direct link is provided on the log.