Sonatype CLM for Maven

When evaluating a Maven-based software project, Sonatype CLM for Maven can take advantage of the dependency information contained in the project’s pom.xml files and the information about transitive dependencies available to Maven.

The index goal of Sonatype CLM for Maven allows you to identify component dependencies and makes this information available to Sonatype CLM CI tools (e.g. Sonatype CLM for Hudson/Jenkins or Bamboo). You can invoke an execution of the index goal manually as part of your command line invocation by executing the index goal after the package phase:

mvn clean install com.sonatype.clm:clm-maven-plugin:index

Alternatively you can configure the execution in the pom.xml files build section or in a profile's build section.

 <build>
    <plugins>
      <plugin>
        <groupId>com.sonatype.clm</groupId>
        <artifactId>clm-maven-plugin</artifactId>
        <version>2.1.1</version>
        <executions>
          <execution>
            <goals>
            <goal>index</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

With the above configuration a normal Maven build execution with e.g. mvn clean install will trigger the CLM plugin to be executed in the package phase and result in a log output similar to

[INFO] --- clm-maven-plugin:2.1.1:index (default) @ test-app ---
[INFO] Saved module information to /opt/test-app/target/sonatype-clm/module.xml

If you want to manually configure the lifecycle phase to execute the plugin, you have to choose a phase after package.

The generated module.xml file contains the information that will be picked up by Sonatype CLM for CI and incorporated into the CLM evaluation. This improves the analysis since Sonatype CLM for Maven is able to create a complete dependency list rather than relying on binary build artifacts.