Nexus IQ CLI

Overview

While tools offering full integration for evaluations are provided (e.g. Nexus Repository Manager, Eclipse, and Hudson/Jenkins), any application can be evaluated against your policies simply by using the Nexus IQ Command Line Interface (CLI).

Before you get started, there are a few things you should make sure you have, including:

  • A general familiarity with the CLI (you don’t need to be an expert, but basic knowledge helps).
  • Installed and set up the IQ Server
  • Set up an organization and application
  • Created or imported a policy for your application, or the organization that contains your application.

With regard to integrating the Nexus IQ CLI with CI servers, you should also have a familiarity with the way your particular CI utilizes build steps to launch a simple script.

Downloading the Nexus IQ CLI

To use the Nexus IQ CLI, download the jar file from IQ Download and Compatibility and place the file in its own directory.

Be sure to remember where you placed the file you downloaded. As a recommendation, it’s best to have the Nexus IQ CLI in its own directory, and not shared with the IQ Server.

Nexus IQ CLI Docker Image

The Nexus IQ CLI is also available as a docker image at https://hub.docker.com/r/sonatype/nexus-iq-cli.  The documentation there details how to use the image to perform an evaluation.  

Note:  Currently, the pki option is not available via the docker image.

Locating Your Application ID

Before you start an evaluation, you need to have your Application ID. To get this…

  1. Log into your IQ Server with a user account with at least a developer role for the application you plan on evaluating.
  2. Click the Organization & Policies icon .
  3. Click on an organization in the menu on the left to display a list of applications, and then click on the application you want to find the Application ID for. You will see a screen similar to the following example:

  4. Locate the text to the right of the application name. The application ID is the text in parenthesis.

    The application ID will be truncated if it is too long. The full application ID can be copied to the clipboard from the Actions menu.

An alternative is to enable automatic application creation. If you do so, an application with the specified ID will automatically be created if it does not already exist in IQ Server.

Evaluating an Application

Now that you have the Nexus IQ CLI set up, you are ready to evaluate an application. The application can be an archive file, a directory containing such archives or a Docker image.

As a Java application, it can be started using the java command, and adding the necessary parameters. The syntax below represents the minimum set of options required to evaluate an application.

If the application is an archive or directory:

java -jar [nexus-iq-cli jar] -i [application id] -s [server URL] -a [username:password] [target]

For Docker images, there are two approaches. The first approach is to use Docker to save the Docker image as a tar archive.

Use the Docker CLI to save a Docker image:

docker save -o [target].tar [image name]

Then, evaluate the resulting tarred repository as you would an archive as described above.  

The second approach requires a Twistlock environment.

Integrating Twistlock

java -cp [nexus-iq-cli jar jar] com.sonatype.insight.scan.cli.TwistlockPolicyEvaluatorCli -i [application id] -s [server URL] --twistlock-scanner-executable [Twistlock scanner executable] --twistlock-console-url [Twistlock console URL] --twistlock-console-username [Twistlock console username] --twistlock-console-password [Twistlock console password] [target]

nexus-iq-cli jar

This is the path to the Nexus IQ CLI jar file e.g. ./nexus-iq-cli-<version>.jar

-a, --authentication

Using the switch -a, enter the user name:password (e.g. MyUserName:MyUserPassword).

Authentication will permit (or prevent) the ability to submit an application for evaluation, as well as retrieve the summary results and URL.

--pki-authentication

Delegate to the JVM for authentication.

-xc, --expanded-coverage

Use the -xc switch to enable Expanded Coverage analysis (available in IQ Server versions 1.35 and newer). 

-i, --application-id

Using the switch -i, enter the application id for your application (see instructions above). If automatic application creation is enabled and the application does not exist, it will be created.

-s, --server-url

Using the switch -s enter the location of your IQ Server (e.g. http://localhost:8070).

Target

This is the path to a specific application archive file, a directory containing such archives or the ID of a Docker image. For archives, a number of formats are supported, including jar, war, ear, tar, tar.gz, zip and many others.

--twistlock-scanner-executable

The path to the Twistlock scanner binary, e.g. /opt/twistlock/twistlock-scanner

--twistlock-console-url

The URL for the Twistlock console, e.g. https://localhost:8083

--twistlock-console-username

The user name used to connect to the Twistlock console.

--twistlock-console-password

The password for the user name used to connect to the Twistlock console.

Note:  twistlock is not available via the docker image.

Listed in the options below, you can specify the specific stage. However, if you do not include this option the system will default to the Build stage.

Additional Parameters

There are several additional options that can be used in the construction of the syntax for evaluating an application with the Nexus IQ CLI.

-w, --fail-on-policy-warnings

using the switch -w will cause a failure of the evaluation if any warnings are encountered. By default, this is set to false.

-e, --ignore-system-errors

Using the switch -e, allows you to ignore any system errors (e.g. IO, Network, server, etc.). This is most helpful when using the Nexus IQ CLI with continuous integration servers, as these errors can cause the unintentional failure of a build.

-p, --proxy

Using the switch -p, you can specify a proxy to use in connecting to the IQ Server. The format is <host[:port]>.

-U, --proxy-user

Using the switch -U, you can specify credentials for the proxy. The format is <username:password>.

-r, --result-file

Using the switch -r, you can specify the name and location of a JSON file that will store the results of the policy evaluation in a machine-readable format.

-t, --stage

Using the switch -t, you can specify the stage you wish the report to be associated with. This is an optional parameter, and if it is not specified, the report will be associated with the Build stage by default.

At this time only the Build, Stage Release, and Release stages will display a report in the IQ Server Reports area. For a full list of stages, use the CLI help provided with the tool.

-X, --debug

This switch enables debug logging to help troubleshooting.

The resulting debug log may contain sensitive information. Use this option with care.

Scan Targets

You can specify multiple scan targets, separated by spaces:

test/dir/*/*.jar test/*/*.ear

Scan targets on the command line use standard glob expansion, as definied by the shell the CLI is running on.

Loading Parameters from a File

The parameters can be passed to the Nexus IQ CLI via a file. To do that, specify the file name prefixed by an "@" character, e.g. @some/path/myparamfile.

  • The file uses the JVM's default character encoding.
  • Parameters specified on the command line can be mixed with parameters specified in a file.
  • There can be any number of parameter files.

Inside a parameter file:

  • Parameter names and their values must be on separate lines.
  • Both short and long parameter names are supported.
  • File paths within the parameter file are relative to the process' current directory, not the parameter file. Absolute file paths are supported as well.
  • Multiple file paths can be specified, one per line.

The following example assumes all the referenced files are in the current working directory:

java -jar ./nexus-iq-cli-<version>.jar @cli-params.txt

and

-i 
Test123 
-a 
username:password 
-s
http://localhost:8070 
-t 
build 
./sample-application.zip

Or, if you just want to hide the credentials:

java -jar ./nexus-iq-cli-<version>.jar @cli-auth.txt -i Test123 -s http://localhost:8070 -t build ./sample-application.zip

and

-a 
username:password 

Example Lifecycle Evaluation

In an example scenario, let’s say you have downloaded the latest CLI jar as well as the application you want to examine to a specific directory e.g. ~/nexus-iq-server-test. The application’s filename is sample-application.zip.

To evaluate this application you have to identify the application ID and supply it with the -i switch, supply the URL of your IQ Server with -s, and add -a to authentiate with your username and password. As an option, and what is demonstrated below, you can also specify a particular stage with the -t switch. 

The following example shows command line for an Application ID Test123 and a URL of http://localhost:8070. Replace <version> in the jar file path with your version of the CLI.

java -jar ./nexus-iq-cli-<version>.jar -i Test123 -s http://localhost:8070 -a username:password -t release sample-application.zip

To access help content for the Nexus IQ CLI, run it without supplying parameters:

java -jar ./nexus-iq-cli-<version>.jar

Go ahead and try an evaluation yourself. The Nexus IQ CLI will accept a number of file types, including jar, war, and zip files. If your evaluation is successful, the log output of the command execution will provide a summary as well as a link to the produced results similar to:

[INFO] Policy Action: Warning
[INFO] Summary of policy violations: 4 critical, 85 severe, 46 moderate
[INFO] The detailed report can be viewed online
at http://localhost:8070/ui/links/application/my-app/report/95c4c14e


Example XC Evaluation

To run an XC scan, download the latest CLI jar as well as the application you want to examine to a specific directory e.g. ~/nexus-iq-server-test. For this example, the application’s filename is sample-application.zip.

Lifecycle XC is supported in IQ Server versions 1.35 and newer.

To evaluate this application with XC, use the -xc switch, identify the application ID and supply it with the -i switch, add the URL of your IQ Server with -s, and use -a to authentiate with your username and password.

The following example shows command line for an XC evaluation with Application ID Test123 and a URL of http://localhost:8070. Replace <version> in the jar file path with your version of the CLI.

java -jar ./nexus-iq-cli-<version>.jar -xc -i Test123 -s http://localhost:8070 -a username:password sample-application.zip

Go ahead and try an XC evaluation yourself. The Nexus IQ CLI accepts a number of file types, including jar, war, and zip files. If your evaluation is successful, the log output of the command execution will provide a summary as well as a link to the produced results similar to:

[INFO] The expanded coverage report can be viewed online at 
http://localhost:8070/ui/links/application/Test123/report/24f4d0769c3f47d18ef0f154e364209d

Copy the URL and paste into a Web browser to view the results:

Example Expanded Coverage Report

For more information, see Lifecycle XC.

Using the Nexus IQ CLI with a CI Server

We won’t be covering a specific CI here, but in general, all you need to identify (in your CI), is the location for adding a build step that includes processing a simple shell script during the building of your application.

Once you are there, make sure your script calls the Nexus IQ CLI using the following syntax:

java -jar [ScannerJar] -i [AppID] -e [IgnoreSystemErrors] -w [FailOnPolicyWarning] -s [ServerURL] -a [username:password] [Target]

Each of the areas in the syntax above are described in the Evaluating an Application section.

Given a typical setup, your syntax, including all available options, will likely look similar to the following:

java -jar /scanner/nexus-iq-cli-<version>.jar -i tester123 -s http://localhost:8070 -a username:password ./target/sample-app.war

Now, when your application is built, the build step you have added will call the Nexus IQ CLI, evaluate your application, and upload results of the evaluation to the IQ Server. By default this will be placed below the build column in the Reports and Application area on the IQ Server, for your application.

We advise you to use a separate application identifier for each of your unique applications. Using the same application identifier will result in report results being overwritten each time an application is built. While this is always the case, matching the latest evaluation to the right application can prove difficult.