The evaluate
goal scans the dependencies and build artifacts of a project and
directly submits the information to a Sonatype CLM Server for policy evaluation.
If a policy violation is found and the CLM stage is configured to Fail
, the
Maven build will fail. If invoked for an aggregator project, dependencies of all
child modules will be considered.
The evaluate
goal requires the Sonatype CLM Server URL as well as the
application identifier to be configured. Optionally a CLM stage can be
configured.
The command line arguments are:
clm.serverUrl
clm.serverId
clm.username
the username used to authenticate access to the CLM server.
This is not required when using |
clm.password
the password for the username indicated above.
This is not required when using |
clm.applicationId
clm.resultFile
the path for specifying the location of a JSON file where the following information will be stored:
clm.stage
develop
, build
, stage-release
, release
and operate
with a default
value of build
.
clm.additionalScopes
test
, provided
, and
system
. In cases where you want to include more than one of these, separate
the list using a comma (see examples below).
An example invocation is:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.additionalScopes=test,provided,system -Dclm.applicationId=test -Dclm.serverUrl=http://localhost:8070
You can avoid specifying the parameters on the command line by adding them to
your settings.xml
or pom.xml
as properties.
<properties> <clm.serverUrl>http://localhost:8070</clm.serverUrl> <clm.applicationId>test</clm.applicationId> </properties>
Sonatype CLM for Maven can be executed against an aggregator project. When executed in an aggregator project, it calculates the dependencies and transitive dependencies of all child modules and takes all of them into account for the policy evaluation.
The evaluate
goal logs its activity and provides the location of the generated
report.
[INFO] --- clm-maven-plugin:2.5.1-01:evaluate (default) @ test-app --- [INFO] Starting scan... [INFO] Scanning ../repository/org/codehaus/plexus/plexus-utils/3.0/plexus-utils-3.0.jar... [INFO] Scanning ../repository/org/apache/maven/maven-settings/3.0/maven-settings-3.0.jar... [INFO] Scanning target/test-app-1.0-SNAPSHOT.jar... [INFO] Saved module scan to /opt/test-app/target/sonatype-clm/scan.xml.gz [INFO] Uploading scan to http://localhost:8070 ... [INFO] Evaluating policies... (ETA 5s) [INFO] Policy Action: None Summary of policy violations: 0 critical, 0 severe, 0 moderate The detailed report can be viewed online at http://localhost:8070/ui/links/application/test/report/f4582a1570634dc2ac8
The evaluate goal cannot be bound to a lifecycle phase. |
After a successful build the report can be accessed in the Sonatype CLM server under the application that was configured. A direct link is provided on the log.
To configure authentication to the CLM Server, you will need to add your
Sonatype CLM Server information to your Maven settings.xml
file:
<settings> ... <servers> <server> <id>clm_server</id> <username>my__clm_login</username> <password>my_clm_password</password> </server> ... </servers> ... </setting>
In our example we have not encrypted our password. This is generally recommended. The Apache Maven project provides instructions for password encryption. Additionally, username and password can still be specified at the command line, and will be used in place of these settings. |
If you happen to use the plugin frequently by running it manually on the command
line and want to shorten the command line even more, you can add a plugin group
entry to your Maven settings.xml
file:
<settings> ... <pluginGroups> <pluginGroup>com.sonatype.clm</pluginGroup> ... </pluginGroups> ... </settings>
This enables you to invoke the plugin using its shorthand prefix form:
mvn ... clm:index
The clm.skip
parameter can be used, when a CLM plugin execution is configured
in your project’s pom.xml
file, but you want to avoid the execution for a
particular build. An example execution is:
mvn clean install -Dclm.skip=true
The parameter can also be set in your IDE configuration for Maven build executions or as a property in your settings.xml or pom.xml:
<properties> <clm.skip>true</clm.skip> </properties>
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia