Nexus IQ for Azure DevOps

Installation

  1. Sign in to your Azure DevOps account at https://dev.azure.com
  2. At the bottom left corner, you should see an "Organization settings" button:



  3. From the left-hand side menu choose "Extensions":




  4. Click "Browse Marketplace" button in the top right corner of the page:




  5. You're going to be redirected at the Azure DevOps Extensions marketplace
  6. Enter "Nexus IQ" in the search box and you should find the Nexus IQ extension
  7. After clicking on found Nexus IQ extension, you'll be redirected on the extension's page
  8. Click on the green "Get" button, after that the installation process will be initiated
  9. Follow the installation steps and when it is done you should see that Nexus IQ extension is presented in the "Organization Settings" page:

Update to a new version

Usually, if a new version of the extension has appeared on the Azure Marketplace, it is updated automatically,
but there are some cases, when there is a change in access permissions for the extension in Azure DevOps and a user should approve that manually.
This process is easy, just go to the "Organization settings" → "Extensions" (the same menu from the "Installation" section) and in the "Installed" extension tab
you should see an "Action required" message. Click on the Nexus IQ extension and then on the "Review" button. After the last action, a menu with scope changes should appear.
Click the "Authorize" button and your extension will be updated to a new version.

Configuration

Service Configuration

  1. Proceed to your project in Azure DevOps
  2. The first thing we need to configure is a connection to IQ Server
  3. Go to the "Project Settings" in the bottom left corner
  4. Choose "Service Connections" from the menu which appeared:




  5. Click "New Service Connection" button and choose "Nexus IQ" from the list of connections:




  6. Enter the URL and credentials for your Nexus IQ server in the pop-up window and click "OK" button:




YAML Pipeline Configuration

  1. Now choose "Pipelines" → "Builds" from the left-hand side menu:




  2. If you don't have it already, create a "New build pipeline":




  3. You should see the following screen now:



  4. Choose a repository where you host your project from the list above and follow the steps until the pipeline is created
  5. Now let's "Edit" a build pipeline:




  6. The last action should open an azure-pipelines.yml file
  7. Search for "Nexus IQ" in the search box on the right-hand side of the page:




  8. Click on found Nexus IQ task extension, you should see a configuration screen:



  9. Fill out all the fields in the configuration page from the above screenshot:
    - Nexus IQ service/server endpoint (configured previously)
    - Application ID: ID of application to evaluate against as configured in Nexus IQ
    - Stage:  Stage to evaluate against
    - Scan Targets: Targets to perform policy evaluation listed as comma seperated glob patterns
    - Fail build when unable to communicate with IQ Server: Azure DevOps pipelines build result behavior
  10. (Optional) Advanced Options
    - Java System Properties: Command line arguments to alter the behavior of the JVM. e.g. -Djava.net.useSystemProxies=false
  11. Hit the "Add" button, after that, you should see all inputs will be reflected in the YAML file
  12. Now you can save your build by clicking the "Save" button in the right top corner of the page:




  13. The configuration of the Nexus IQ extension is finished on this and you can run your builds with policy evaluation in place

Classic Pipeline Configuration

There is a possibility to use an older (classic) editor during the creation of a new pipeline in Pipelines → Build

Following the 1st step from the YAML Configuration of this guide, you can choose "Using the classic editor to create a pipeline without YAML":


Provided you followed the next steps and created a pipeline in classic mode, you can add the Nexus IQ pipeline task by clicking on the plus icon in the "Agent job" tile:


The following configuration of the Nexus IQ task is the same as in the 11-14 steps of the previous section.

Note: There is one thing you should enable for the Nexus IQ extension to render information in widgets correctly:
enable the "Allow scripts to access the OAuth token" checkbox. It is located under the "Agent job" tile:


Policy Evaluation

Now that you have configured Nexus IQ extension, you can start running policy evaluation as a part of your build.

Try to run a build and observe that among other tasks you also have a "NexusIqPipelineTask":

Accessing/Viewing Results

Now, if you open NexusIqPipelineTask you'll see a console output with results of the evaluation:

You can find a summary of the policy evaluation as well as the link to the detailed report at the IQ Server side.

You can also observe the summary of the evaluation at the "Summary" tab of that page, it looks like this:


Besides the "Summary" tab, there is a "Nexus IQ Build Failure Report" tab. Try to switch to it as well.
There is a detailed report with all the components and their correspondent violations which looks like this:


Dashboard widgets

Let's take a look at one more feature of Azure DevOps UI, which is called "Dashboards" (go to the "Overview" → "Dashboards").
At this section, you can add various UI widgets to your project. Of course, such a widget also exists for "Nexus IQ".

  1. Click the "Edit" button, this should switch you to the edit mode
  2. At the right-hand side search for the "Nexus IQ" widget:



  3. Select it and hit the "Add" button at the bottom right corner of the page
  4. Click the "Done editing" button, which will switch you back from the editing mode
  5. You should see the "Nexus IQ Policy Summary" widget up and running

The widget you add here looks the same as in the summary page for each build, but that one always shows the latest build summary results.

There is another widget available for you which shows a history of Nexus IQ Policy evaluation of last 5 builds: "Trends for Nexus IQ Policy Evaluation"
Just follow the same steps as in the case with the "Latest Nexus IQ Policy Evaluation" widget and you should see a similar picture as below: