The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
The attach goal scans the dependencies and build artifacts of a
project and attaches the results to the project as another artifact in
the form of a scan.xml.gz file. It contains all the checksums for
the dependencies and their classes and further meta information and
can be found in the target/sonatype-clm directory. A separate
scan.xml.gz file is generated for each maven module in an aggregator
project in which the plugin is executed.
This attachment causes the file to be part of any Maven install and
deploy invocation. When the deployment is executed against a
Sonatype Nexus CLM Edition server the artifact is used to evaluate
policies against the components included in the evaluation.
To use this goal, add an execution for it in the POM, e.g. as part of a profile used during releases:
<build>
<plugins>
<plugin>
<groupId>com.sonatype.clm</groupId>
<artifactId>clm-maven-plugin</artifactId>
<version>2.1.1</version>
<executions>
<execution>
<goals>
<goal>attach</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
Once configured in your project, the build log will contain messages similar to
[INFO] --- clm-maven-plugin:2.1.1:attach (default) @ test-app --- [INFO] Starting scan... [INFO] Scanning ...plexus-utils-3.0.jar [INFO] Scanning ...maven-settings-3.0.jar... [INFO] Scanning target/test-app-1.0-SNAPSHOT.jar... [INFO] Saved module scan to /opt/test-app/target/sonatype-clm/scan.xml.gz
The attachment of the scan.xml.gz file as a build artifact causes
it to be stored in the local repository as well as the deployment
repository manager or the Nexus staging repository ending with
-sonatype-clm-scan.xml.gz. This file will be picked up by Sonatype
Nexus CLM Edition and used in the policy analysis during the staging
process. It improves the analysis since Sonatype CLM for Maven is
able to create a complete dependency list rather than relying on
binary build artifacts.