Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

11.2. Creating a Component Index

When evaluating a Maven-based software project, Sonatype CLM for Maven can take advantage of the dependency information contained in the project’s pom.xml files and the information about transitive dependencies available to Maven.

The index goal of Sonatype CLM for Maven allows you to identify component dependencies and makes this information available to Sonatype CLM CI tools (e.g. Sonatype CLM for Hudson/Jenkins or Bamboo). You can invoke an execution of the index goal manually as part of your command line invocation by executing the index goal after the package phase:

mvn clean install com.sonatype.clm:clm-maven-plugin:index

Alternatively you can configure the execution in the pom.xml files build section or in a profile's build section.

 <build>
    <plugins>
      <plugin>
        <groupId>com.sonatype.clm</groupId>
        <artifactId>clm-maven-plugin</artifactId>
        <version>2.1.1</version>
        <executions>
          <execution>
            <goals>
            <goal>index</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

With the above configuration a normal Maven build execution with e.g. mvn clean install will trigger the CLM plugin to be executed in the package phase and result in a log output similar to

[INFO] --- clm-maven-plugin:2.1.1:index (default) @ test-app ---
[INFO] Saved module information to /opt/test-app/target/sonatype-clm/module.xml

If you want to manually configure the lifecycle phase to execute the plugin, you have to choose a phase after package.

The generated module.xml file contains the information that will be picked up by Sonatype CLM for CI and incorporated into the CLM evaluation. This improves the analysis since Sonatype CLM for Maven is able to create a complete dependency list rather than relying on binary build artifacts.

[Note]

By default only dependencies in the compile and runtime scopes will be considered, since this reflects what other Maven packaging plugins typically include. Dependencies with the scopes test, provided and system must be manually added, and are described in the Evaluating Project Components with Sonatype CLM Server section.

11.2.1. Excluding Module Information Files in Continuous Integration Tools

When using the Sonatype CLM Maven plugin and the index goal, module information files are created. If desired, you can exclude some of the modules from being evaluated. For example, you may want to exclude modules that support your tests, and don’t contribute to the distributed application binary.

The default location where the module information files are stored is ${project.build.directory}/sonatype-clm/module.xml.

In the supported CI tool, you will see a section labeled Module Excludes. On this area, use a comma-separated list of Apache Ant styled patterns relative to the workspace root that denote the module information files (**/sonatype-clm/module.xml) to be ignored.

Here’s an example of the pattern described above:

**/my-module/target/**, **/another-module/target/**

If unspecified, all modules will contribute dependency information (if any) to the evaluation.