Sonatype for Bamboo Data Center
Sonatype for Bamboo Data Center integrates with Atlassian Bamboo to run policy evaluations in the build workspace. It provides instant analysis of open-source components used in every Bamboo build and generates alerts for policy violations related to quality, license, or security. This allows development teams to address open-source policy violations earlier in the development cycle and avoid unplanned rework.
The Sonatype for Bamboo Data Center integration is available on the Atlassian Marketplace.
Note
Sonatype for Bamboo Data Center plugin is verified by Sonatype to work on the Bamboo Data Center.
Main Features
Perform a Lifecycle policy evaluation on files in the build workspace.
Display scan results within Bamboo build workspace.
Provide a link to a comprehensive Lifecycle policy evaluation report indicating violation details and remediation recommendations.
Requirements
Install and start IQ Server.
Create an organization and at least one application in IQ Server.
Evaluate the application at least once (see Manual Application Evaluation.)
Installation and Configuration
Go to the Installation and Configuration page for steps to install and set up Sonatype for Bamboo Data Center.
Variables and credentials
Starting from version 3.1.0, you can configure variables and credentials at the global, project, or plan level from the Bamboo administration page.
To add a variable, click on the Global variables option on the left-hand navigation menu, and enter a variable name and value.
 |
To add a credential, click on the Shared credentials option on the left-hand navigation menu, and enter the a Credential name, Username, and Password.
The Credential name field is the value that will be used by the Sonatype for Bamboo Data Center plugin; make sure it's one of the supported values listed below. The Username field can be set to match the Credential Name.
 |
Sonatype for Bamboo Data Center currently supports the following credentials:
NEXUS_CONTAINER_IMAGE_REGISTRY_USER
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
NEXUS_CONTAINER_SCANNING_REGISTRY_USER
NEXUS_CONTAINER_SCANNING_REGISTRY_PASSWORD
Add Sonatype Lifecycle analysis task
Navigate to a Bamboo Project > Plan > Stage > and then Job, select the Tasks tab, and then click on the Add task button.
A modal displays a list of available Task types. Lifecycle Policy Evaluation is listed in the Tests type, or you can use search to locate it.
Enter the required information:
Task Description: a brief explanation of what the task does.
Disable this task: an option to disable the entire Lifecycle Policy Evaluation process, ensuring it is skipped during plan execution.
Add condition to task: an option to configure the task to execute only when a specified condition is met.
Fail build when IQ Server is unable to evaluate: check this option to fail the build when an IQ evaluation cannot be performed. This may occur if the IQ Server is inaccessible. If left unchecked, the build will continue even without a policy evaluation.
Tip
Details of the application evaluation are provided in the job/build-specific log.
Fail build when there are scanning errors: check this option if you want to fail the build when there are scanning errors. This could occur if for example there are malformed files.
Organization (optional): the list of Organizations retrieved from the IQ Server. An organization ID can also be specified directly. If an organization is selected and automatic application creation is enabled, a new application will automatically be created under the selected organization, if it does not already exist on the IQ Server.
Application: the list of Applications corresponds to the account used during Sonatype for Bamboo Data Center configuration. Remember, this is the Application containing the policies that components in the build will be evaluated against. An application can also be specified that is not in the list. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not already exist on the IQ Server.
Stage: this corresponds to the stage you wish the policy evaluation of the application/project to be run against. Additionally, this will correspond to the stage location when viewing report information via the IQ Server. For example, if you chose the Build stage, summary and dashboard violation results will be displayed accordingly.
Scan Targets: the scan targets setting allows you to control which files should be examined with an Apache Ant styled pattern. The pattern is relative to the project workspace root directory and inherits the global configuration.
Advanced Options - Module Excludes: if you are using the Sonatype CLM for Maven plugin, module files are created, and can contribute to results found during an evaluation.
Java Reachability - Enable Java reachability analysis: Perform an analysis in Java or JVM language binaries to detect method signatures that contain components with potentially exploitable security vulnerabilities. You can customize the analysis by selecting the algorithm for reachability, specifying scan targets (which default to the predefined targets if left empty), choosing an entrypoint identification strategy, and defining the relevant namespaces.
Click the Save button. Lifecycle Policy Evaluation task now appears in the list as Final tasks.
Evaluate Policies and View Results
Your application will be evaluated as a task during Bamboo job execution. The Job Summary page shows the results of the evaluation.
The summary results give a breakdown and count of violations for each of the 3 threat level categories:
Critical (threat level 8-10)
Severe (threat level 4-7)
Moderate (threat level 2-3)
The overall evaluation status is indicated by Passed, Failed, Passed with Warnings.
Click on Full Report to view a detailed report in the IQ Server.
 |