Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Upgrade Instructions
Requirements

The Sonatype CLM Book - Optimized Component Lifecycle Management
HTML
PDF

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
Eclipse
Maven
Nexus
SonarQube

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

19.1. Evaluating Project Components with Sonatype CLM Server

The evaluate goal scans the dependencies and build artifacts of a project and directly submits the information to a Sonatype CLM Server for policy evaluation.

If a policy violation is found and the CLM stage is configured to Fail, the Maven build will fail. If invoked for an aggregator project, dependencies of all child modules will be considered.

The evaluate goal requires the Sonatype CLM Server URL as well as the application identifier to be configured. Optionally a CLM stage can be configured.

The command line arguments are:

clm.serverUrl
the URL for the CLM server, this parameter is required.
clm.serverId
used for authentication and must match the id given to the CLM Server specified in your Maven settings.
clm.username

the username used to authenticate access to the CLM server.

[Note]

This is not required when using clm.serverId, but can be used to overwrite those settings.
clm.password

the password for the username indicated above.

[Note]

This is not required when using clm.serverId, but can be used to overwrite those settings.
clm.applicationId
the application identifier for the application to run policy against, this parameter is required
clm.resultFile

the path for specifying the location of a JSON file where the following information will be stored:

  • applicationId : Application ID
  • scanId : Organization ID
  • reportHtmlUrl : URL to the HTML version of the report
  • reportPdfUrl : URL to the PDF version of the report
  • reportDataUrl : URL to the Data version of the report (for use via CURL, or similar tool)
clm.stage
the stage to run policy against with the possible values of develop, build, stage-release, release and operate with a default value of build.
clm.additionalScopes
the additional scopes you would like CLM to include components from during the evaluation. Values include test, provided, and system. In cases where you want to include more than one of these, separate the list using a comma (see examples below).

An example invocation is:

mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.additionalScopes=test,provided,system -Dclm.applicationId=test -Dclm.serverUrl=http://localhost:8070

You can avoid specifying the parameters on the command line by adding them to your settings.xml or pom.xml as properties.

 <properties>
    <clm.serverUrl>http://localhost:8070</clm.serverUrl>
    <clm.applicationId>test</clm.applicationId>
 </properties>

Sonatype CLM for Maven can be executed against an aggregator project. When executed in an aggregator project, it calculates the dependencies and transitive dependencies of all child modules and takes all of them into account for the policy evaluation.

The evaluate goal logs its activity and provides the location of the generated report.

[INFO] --- clm-maven-plugin:2.1.1:evaluate (default) @ test-app ---
[INFO] Starting scan...
[INFO] Scanning ../repository/org/codehaus/plexus/plexus-utils/3.0/plexus-utils-3.0.jar...
[INFO] Scanning ../repository/org/apache/maven/maven-settings/3.0/maven-settings-3.0.jar...
[INFO] Scanning target/test-app-1.0-SNAPSHOT.jar...
[INFO] Saved module scan to /opt/test-app/target/sonatype-clm/scan.xml.gz
[INFO] Uploading scan to http://localhost:8070 ...
[INFO] Evaluating policies... (ETA 5s)
[INFO] Policy Action: None
Summary of policy violations: 0 critical, 0 severe, 0 moderate
The detailed report can be viewed online at
http://localhost:8070/ui/links/application/test/report/f4582a1570634dc2ac8
[Note]

The evaluate goal cannot be bound to a lifecycle phase.

After a successful build the report can be accessed in the Sonatype CLM server under the application that was configured. A direct link is provided on the log.

19.1.1. Authentication

To configure authentication to the CLM Server, you will need to add your Sonatype CLM Server information to your Maven settings.xml file:

<settings>
   ...
   <servers>
      <server>
         <id>clm_server</id>
         <username>my__clm_login</username>
         <password>my_clm_password</password>
     </server>
     ...
   </servers>
   ...
</setting>
[Note]

In our example we have not encrypted our password. This is generally recommended. The Apache Maven project provides instructions for password encryption. Additionally, username and password can still be specified at the command line, and will be used in place of these settings.

19.1.2. Simplifying Command Line Invocations

If you happen to use the plugin frequently by running it manually on the command line and want to shorten the command line even more, you can add a plugin group entry to your Maven settings.xml file:

 <settings>
   ...
   <pluginGroups>
     <pluginGroup>com.sonatype.clm</pluginGroup>
     ...
   </pluginGroups>
   ...
 </settings>

This enables you to invoke the plugin using its shorthand prefix form:

mvn ... clm:index

19.1.3. Skipping Executions

The clm.skip parameter can be used, when a CLM plugin execution is configured in your project’s pom.xml file, but you want to avoid the execution for a particular build. An example execution is:

mvn clean install -Dclm.skip=true

The parameter can also be set in your IDE configuration for Maven build executions or as a property in your settings.xml or pom.xml:

 <properties>
    <clm.skip>true</clm.serverUrl>
 </properties>