Skip to main content

Sonatype for Bamboo Data Center

Sonatype for Bamboo Data Center integrates with Atlassian Bamboo to run policy evaluations in the build workspace. It provides instant analysis of open-source components used in every Bamboo build and generates alerts for policy violations related to quality, license, or security. This allows development teams to address open-source policy violations earlier in the development cycle and avoid unplanned rework.

atlassian_512x512.png The Sonatype for Bamboo Data Center integration is available on the Atlassian Marketplace.

Note

Sonatype for Bamboo Data Center plugin is verified by Sonatype to work on the Bamboo Data Center.

Main Features

  1. Perform a Lifecycle policy evaluation on files in the build workspace.

  2. Display scan results within Bamboo build workspace.

  3. Provide a link to a comprehensive Lifecycle policy evaluation report indicating violation details and remediation recommendations.

Requirements

  • Install and start IQ Server.

  • Create an organization and at least one application in IQ Server.

  • Evaluate the application at least once (see Manual Application Evaluation.)

Installation

Download latest version:

Important

When migrated from Bamboo Server to Bamboo Data Center from version 2.42.0-01 or previous versions, uninstall the previous plugin and re-install a data center-compatible version

The server-compatible plugin versions cannot be automatically upgraded to data center-compatible versions.

  1. Login as administrator in Bamboo and click on the gear icon in the top right toolbar.

  2. Select Add-ons from the drop-down list.

  3. In the Manage Add-ons section, click Upload Add-on/app link. A dialog opens, enabling you to specify a file, or a URL location.

  4. Choose the location of the Sonatype for Bamboo Data Center file, downloaded previously.

  5. Click Open, and then Upload button.

  6. You will see a message confirming upload of Sonatype for Bamboo Data Center.

Sonatype for Bamboo Data Center will now appear as listed under User-installed add-ons.

Tip

In most cases, pausing your Bamboo server is a good idea.

Configure Sonatype for Bamboo Data Center

 

  1. Navigate to Bamboo administration.

  2. On the left-hand navigation menu, locate Sonatype. Click on the Configuration link to open the IQ Server Configuration window:

    126655789.png
  3. Enter the IQ Server URL.

  4. Select an Authentication Method:

    1. PKI Authentication: Delegate to the JVM for authentication.

    2. User Authentication: Enter a username and password for authentication.

      Tip

      We recommend creating a unique machine account that has access to the application(s) to be linked to your Bamboo Build(s)/Plans.

  5. Click the Save button. Your configuration is saved, displaying the application(s) the user has access to.

  6. Add the Sonatype IQ task to Bamboo.

Variables and credentials

Starting from version 3.1.0, you can configure variables and credentials at the global, project, or plan level from the Bamboo administration page.

To add a variable, click on the Global variables option on the left-hand navigation menu, and enter a variable name and value.

bamboo_variables.png

To add a credential, click on the Shared credentials option on the left-hand navigation menu, and enter the a Credential name, Username, and Password.

The Credential name field is the value that will be used by the Sonatype for Bamboo Data Center plugin; make sure it's one of the supported values listed below. The Username field can be set to match the Credential Name.

bamboo_credentials.png

Sonatype for Bamboo Data Center currently supports the following credentials:

NEXUS_CONTAINER_IMAGE_REGISTRY_USER
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
NEXUS_CONTAINER_SCANNING_REGISTRY_USER
NEXUS_CONTAINER_SCANNING_REGISTRY_PASSWORD

Add Sonatype Lifecycle analysis task

  1. Navigate to a Bamboo Project > Plan > Stage > and then Job, select the Tasks tab, and then click on the Add task button.

    126655788.png
  2. A modal displays a list of available Task types. Lifecycle Policy Evaluation is listed in the Tests type, or you can use search to locate it.

    126655787.png
  3. Enter the following information:

    1. Task Description: to indicate what the task does.

    2. Fail build when IQ Server is unable to evaluate: check this option if you want to fail the build when an IQ evaluation cannot be performed. This could occur if IQ Server is inaccessible. If left unchecked, the build will continue normally even if no policy evaluation is performed.

      Tip

      Details of the application evaluation are provided in the job/build-specific log.

    3. Fail build when there are scanning errors: check this option if you want to fail the build when there are scanning errors. This could occur if for example there are malformed files.

    4. Organization (optional): the list of Organizations retrieved from the IQ Server. An organization ID can also be specified directly. If an organization is selected and automatic application creation is enabled, a new application will automatically be created under the selected organization, if it does not already exist on the IQ Server.

    5. Application: the list of Applications corresponds to the account used during Sonatype for Bamboo Data Center configuration. Remember, this is the Application containing the policies that components in the build will be evaluated against. An application can also be specified that is not in the list. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not already exist on the IQ Server.

    6. Stage: this corresponds to the stage you wish the policy evaluation of the application/project to be run against. Additionally, this will correspond to the stage location when viewing report information via the IQ Server. For example, if you chose the Build stage, summary and dashboard violation results will be displayed accordingly.

    7. Scan Targets: the scan targets setting allows you to control which files should be examined with an Apache Ant styled pattern. The pattern is relative to the project workspace root directory and inherits the global configuration.

    8. Module Excludes: if you are using the Sonatype CLM for Maven plugin, module files are created, and can contribute to results found during an evaluation.

      126660039.png
  4. Click the Save button. Lifecycle Policy Evaluation task now appears in the list as Final tasks.

    126655785.png

Optional: Use Bamboo Specs to configure the Sonatype Lifecycle analysis task

You can configure/add Sonatype Lifecycle Analysis task as code, using Bamboo Specs. This way you can automate your build plans by fetching its configuration from a file inside the repository.

  1. Bamboo looks for either bamboo-specs/bamboo.yml or bamboo-specs/bamboo.yaml files. You should have them created in your repository.

  2. Go to Bamboo Administration (gear icon) > Linked repositories, select the repository containing the .yaml file, click the Bamboo Specs tab and activate the Scan for Bamboo Specs button. This allows Bamboo to scan the linked repository for Specs.

  3. Here is a sample .yaml file for a build plan executing two tasks (refer section under tasks):

    version: 2
    plan:
      project-key: PK
      key: IQ
      name: SonatypePlan
      description: Integrating Sonatype for Bamboo Data Center
    stages:
    - Default Stage:
        manual: false
        final: false
        jobs:
        - Default Job
    Default Job:
      key: JOB1
      tasks:
      - checkout:
          force-clean-build: 'false'
          description: Checkout Default Repository
      - maven:
          executable: Maven 3
          jdk: JDK 17.0.4
          goal: clean test
          tests: 'true'
          description: Clean Test Sample Project
      artifact-subscriptions: []
    repositories:
    - SampleRepository:
        scope: global
    triggers:
    - polling:
        period: '180'
    branches:
      create: manually
      delete: never
      link-to-jira: true
    notifications: []
    labels: []
    dependencies:
      require-all-stages-passing: false
      enabled-for-branches: true
      block-strategy: none
      plans: []
    other:
      concurrent-build-plugin: system-default
  4. To add the Lifecycle Policy Evaluation Task, you add block any-task containing the Lifecycle configuration, undertaskssection of the spec:

    - any-task:
          plugin-key: com.sonatype.clm.ci.bamboo:clm-scan-task
              description: Bamboo Task
          configuration:
            failOnClmFailures: 'true'
            failOnScanningErrors: 'false'
            clmOrgIdType: specified
                    clmOrgId: iq-org
            clmAppIdType: specified
                    clmAppId: iq-app
                    clmStageType: specified
            clmStageTypeId: build
            clmScanTargets: '**/*.jar'        
            clmModuleExcludes: '**/my-module/target/**'

    Lifecycle Policy Evaluation Task Configuration Properties:

    Key

    Description

    Required

    Accepted values

    plugin-key

    The plugin identifier within Bamboo: The plugin's module used in the task. You can find the Sonatype plugin information in the Add-ons/apps administration section in Bamboo.

    true

    com.sonatype.clm.ci.bamboo:clm-scan-task

    description

    The task description to remember what the task does.

    false

    Default: empty

    failOnClmFailures

    If set to true the build will fail when a Lifecycle evaluation can’t be performed or if for any reason the evaluation is not generated.

    false

    • true

    • false (default)

    failOnScanningErrors

    If set to true, the build will fail when errors are encountered during a scan such as malformed files.

    false

    • true

    • false (default)

    clmOrgIdType

    Whether the Sonatype Organization ID is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.

    false

    • specified (default)

    • selected

    clmOrgId

    The Organization ID assigned in IQ Server.

    false

    Default: none

    clmAppIdType

    Whether the Sonatype Application ID is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.

    true

    • specified

    • selected

    clmAppId

    The Application ID assigned in IQ Server. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not exist in IQ Server.

    true

    clmStageType

    Whether the Stage the policy evaluation runs is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.

    true

    • specified

    • selected

    clmStageTypeId

    The Stage ID for which the policy evaluation of the application/project runs.

    true

    • develop

    • source

    • build

    • stage-release

    • release

    • operate

    clmScanTargets

    A comma-separated list of Ant-style patterns relative to the workspace root that denote the files/archives to be scanned.

    false

    Default: **/*.jar, **/*.war, **/*.ear, **/*.zip, **/*.tar.gz

    clmModuleExcludes

    A comma-separated list of Ant-style patterns relative to the workspace root that denote the module information files (**/nexus-iq/module.xml) to be ignored.

    false

    Default: none

  5. The first time you update the yaml Spec in your linked repository, you should see a successful build in the Bamboo's Plan Summary:

    126659032.png
  6. Any subsequent changes to the yaml Spec will trigger the Plan build in Bamboo and you can see the code commits in the Build Result Summary.

Evaluate Policies and View Results

Your application will be evaluated as a task during Bamboo job execution. The Job Summary page shows the results of the evaluation.

The summary results give a breakdown and count of violations for each of the 3 threat level categories:

  • Critical (threat level 8-10)

  • Severe (threat level 4-7)

  • Moderate (threat level 2-3)

The overall evaluation status is indicated by Passed, Failed, Passed with Warnings.

Click on Full Report to view a detailed report in the IQ Server.

126655782.png