Documentation Nexus IQ Server 1.19

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

20.3. Creating a Component Info Archive for Nexus Pro CLM Edition

The attach goal scans the dependencies and build artifacts of a project and attaches the results to the project as another artifact in the form of a scan.xml.gz file. It contains all the checksums for the dependencies and their classes and further meta information and can be found in the target/sonatype-clm directory. A separate scan.xml.gz file is generated for each maven module in an aggregator project in which the plugin is executed.

This attachment causes the file to be part of any Maven install and deploy invocation. When the deployment is executed against a Sonatype Nexus CLM Edition server the artifact is used to evaluate policies against the components included in the evaluation.

To use this goal, add an execution for it in the POM, e.g. as part of a profile used during releases:

 <build>
    <plugins>
      <plugin>
        <groupId>com.sonatype.clm</groupId>
        <artifactId>clm-maven-plugin</artifactId>
        <version>2.4.2</version>
        <executions>
          <execution>
            <goals>
            <goal>attach</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

Once configured in your project, the build log will contain messages similar to

[INFO] --- clm-maven-plugin:2.4.2:attach (default) @ test-app ---
[INFO] Starting scan...
[INFO] Scanning ...plexus-utils-3.0.jar
[INFO] Scanning ...maven-settings-3.0.jar...
[INFO] Scanning target/test-app-1.0-SNAPSHOT.jar...
[INFO] Saved module scan to /opt/test-app/target/sonatype-clm/scan.xml.gz

The attachment of the scan.xml.gz file as a build artifact causes it to be stored in the local repository as well as the deployment repository manager or the Nexus staging repository ending with -sonatype-clm-scan.xml.gz. This file will be picked up by Sonatype Nexus CLM Edition and used in the policy analysis during the staging process. It improves the analysis since Sonatype CLM for Maven is able to create a complete dependency list rather than relying on binary build artifacts.