Nexus IQ for Bamboo
Getting Nexus IQ for Bamboo up and running is not difficult. However, there are a few things we expect you to have completed prior to getting started.
- Install and configure the IQ Server (see IQ Server Installation)
- Create an organization and at least one application (see Organization Management and Application Management)
- Evaluated the application at least once (see Manual Application Evaluation)
If anything in the list above looks completely new, or has not been completed, bring everything to a full stop. Even if you aren’t responsible for those areas of IQ Server, you will need to have them complete before configuring Nexus IQ for Bamboo.
Once you are ready, download Nexus IQ for Bamboo.
Install Nexus IQ for Bamboo
You should have the Nexus IQ for Bamboo file downloaded. Now would be a good time to double-check the location you saved it to. That’s something easy to forget. Got it? Good. Now, follow these steps:
Nexus IQ for Bamboo has been rebranded in version 1.0.7 and as such has a new distribution name. When upgrading to 1.0.7 it is important you first uninstall Sonatype CLM for Bamboo before continuing with the installation.
- First, access Bamboo’s Manage Add-ons by clicking the Gear icon (within Bamboo) and then clicking Add-ons from the drop-down list.
- Next, click the Upload Add-on link. A modal will display, allowing you to specify a file, or a URL location. In this example, we’ll be using the file you downloaded previously.
- Choose the location of the Nexus IQ for Bamboo file, click Open, and then the Upload button. The upload only takes a few seconds, but during this time, a progress modal will display.
- Upon successful upload, a confirmation modal will display giving you a bit of information about the plugin. Click Close.
Awesome job! If everything went as planned, Nexus IQ for Bamboo is now listed under User-installed add-ons. Let’s head to the next step, configuration.
In most cases, pausing your Bamboo server is a good idea. Also, if you ever decide to uninstall Nexus IQ for Bamboo, you can do it from the Manage add-ons area as well.
Configure Nexus IQ for Bamboo
Now you are ready to configure Nexus IQ for Bamboo. You should be in the Bamboo administration area.
- In the left-hand navigation area / menu, locate a section titled Nexus IQ. In that section, click on the Configuration link to open the Nexus IQ Server Configuration window:
- Enter the IQ Server URL - the URL for your IQ Server.
- Select an Authentication Method:
- PKI Authentication: Delegate to the JVM for authentication.
User Authentication: Enter a username and password for authentication.
We recommend that you create a unique machine account that has access to the application(s) you wish to link to your Bamboo Build(s)/Plans.
- Click the Save button. Your configuration is saved, displaying the application(s) the user has access to.
Adding the IQ Analysis Task
So now it’s time to put everything you did to install and configure Nexus IQ for Bamboo to good use and add an IQ Analysis Task.
The IQ Analysis Task is available once you’ve installed and configured Nexus IQ for Bamboo. The following steps will walk you through adding this new task to a job.
- After navigating into a Bamboo Project > Plan > Stage > and then Job, select the Tasks tab and then click on the Add task button.
- A modal display offering a list of Task Types. The IQ Policy Evaluation is listed in the Test type, or you can simply use search.
- Enter the following information:
- Task Description: a simple description to remember what the task does.
- Application: the list of Applications corresponds to the account used during Nexus IQ for Bamboo configuration. Remember, this is the Application containing the policies that components in the build will be evaluated against. An application can also be specified that is not in the list. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not already exist in IQ Server.
Fail build when IQ Server is unable to evaluate: check this option if you want to fail the build when an IQ evaluation can’t be performed. Once checked, if for any reason the evaluation is not generated, the build will be failed. An example of this might be if the IQ Server is inaccessible. In the same example, but where the Fail the build option is left unchecked, the build would continue as it would have normally.
Details of the application evaluation are provided in the job/build-specific log.
- Stage: this corresponds to the stage you wish the policy evaluation of the application/project to be run against. Additionally, this will correspond to the stage location when viewing report information via the IQ Server. For example, if you chose the Build stage, summary and dashboard violation results will be displayed accordingly.
- Scan Targets: the scan targets setting allows you to control which files should be examined with an Apache Ant styled pattern. The pattern is relative to the project workspace root directory and inherits the global configuration.
- Module Excludes: if you are using the Sonatype CLM for Maven plugin, module files are created, and can contribute to results found during an evaluation. For information on how to exclude these files, please see Sonatype CLM for Maven.
- Click the Save button.
Reviewing IQ Policy Results
After your Bamboo job has completed, and your application has been successfully evaluated by the IQ Server, a summary of the results will be provided on the Job Summary page. The summary results give a breakdown of the three threat level categories for policy:
- Critical (8-10)
- Severe (4-7)
- Moderate (2-3)
In addition to counts for each of these categories, a status for the success of the evaluation is provided, as well as a link to the Full Report located on your IQ Server is also provided. These are located just to the left of the summary results.
In the event IQ should encounter an issue during the evaluation related to the IQ Server itself, this will be indicated by one of three statuses: Passed, Passed with Warnings, or Failed.