Sonatype CLM for SonarQube

The Sonatype CLM for SonarQube plugin is not compatible with the latest version of SonarQube.

Starting with SonarQube version 6.2, customizable global dashboards and widgets are removed. As a consequence, custom plugins which were contributing widgets or dashboards won't be effective any more.

The rebranding and renaming of Sonatype CLM to Nexus IQ Server started with the 1.17 release. You will see references to "Sonatype CLM" in the SonarQube plugin. We realize this may cause some confusion, and appreciate your patience as we move forward.


IQ Server integrates with a wide range of external enforcement points that include continuous integration servers (Hudson/Jenkins, Bamboo, the CLI and Maven), the IDEs (Eclipse and IntelliJ IDEA), and repository management (Nexus).

The enforcement points are a common aspect of the development lifecycle, and in IQ Server, each represents a unique stage. This creates an invaluable integration of IQ Server with industry standard tools that already make the lives of your business and development process even better. This also means, your team has greater overall control in identifying and reducing open source component risk.

Better component usage doesn’t just lead to risk reduction though, it also leads to better applications. This is something that ties closely with code analysis, and tools such as SonarQube.

As a user of SonarQube, you know first hand the impact that principles such as the 7 Axes of Code Quality can have on the applications and projects your teams create. Paralleling this, as a user of IQ Server you also know how policy management is a critical and essential part of open source component usage.

Sonatype CLM for SonarQube brings both of these together.

See Integration Requirements for information on Sonatype CLM for SonarQube supported versions.


There are a few things that must be done prior to getting Sonatype CLM for SonarQube running:

  • Install and configure the IQ Server.
  • Create at least one organization and one application.
  • Evaluate the application at least once.
  • Have an existing SonarQube project.

When the above items are complete, use the following instructions to install Sonatype CLM for SonarQube:

  1. Download Sonatype CLM for SonarQube.

    If your installation of SonarQube is running, stop it before adding the plugin.

  2. Once downloaded, find the extensions > plugins directory in your installation of SonarQube.
  3. Copy the Sonatype CLM for SonarQube JAR file (the one downloaded from the link above) into this directory.
  4. Start your SonarQube instance, and log in with your administrator account.


The CLM settings window allows you to specify the location of your IQ server. In the example below, basic defaults for configuration have been used. Yours will likely be different.

  1. From the main SonarQube interface, click the Administration menu item.
  2. From the Administration menu, select Configuration, and then click CLM Settings:

  3. In the CLM Settings window, enter your IQ Server URL.
  4. Select an Authentication Method:
    1. select User Authentication and enter your username and password (must be at least a developer role for the application associating with this SonarQube project), or
    2. select PKI Authentication to delegate authentication to the JVM.

      These settings will be used across all projects for your SonarQube installation. Because of this we suggest creating a single account in IQ Server for SonarQube, and then associating that account with the Developer role for the applications you will be linking to SonarQube.

  5. Click the Save CLM Settings button to save your IQ Server settings.

Proxy Configuration

In some instances, your IQ Server may be setup behind a proxy. If this is the case, have your SonarQube Administrator configure your proxy via the wrapper.conf file located within the conf directory of your SonarQube installation. For more information, please refer to SonarQube’s documentation.

Select the IQ Server Application

The next step is selecting the application that is associated with your SonarQube project.

  1. Open the project you want to associate the application with, and then click Administration > Sonatype CLM.

  2. In the Sonatype CLM Configuration area, select an application from the drop down list that should be associated to your SonarQube Project:

  3. Click the Update button.

Add and Configure the Sonatype CLM Widget

The final step is to add the Sonatype CLM Widget to your SonarQube project. This is done from the SonarQube Widget Configuration area.

  1. Click on the Configure Widgets button located in the top-right section of the screen.
  2. The easiest way to find the Sonatype CLM Report Summary widget is by using the SonarQube widget search (just enter Sonatype). Click on the Add Widget button to add the widget to your dashboard.
  3. Next, click on the Edit link in the top right of the Sonatype CLM Report Summary widget box. Several options will display.
    1. Select the Project you want to see IQ Server data in.

      1. The option to select a project is only available when adding the widget from a non-project-specific dashboard.
    2. Enter a Title
    3. Choose the CLM Stage. The CLM stage selected affects which Application Composition Report will be used to display summary-level data. Be sure to pick the stage that best represents the state of your application when it is scanned by SonarQube. Default will use the Build stage:

      Due to technical constraints, the dropdown option also includes stages that might not be available for your license. Selecting any of those will yield an error when accessing the IQ Server server.

  4. Click the Save button to save your selections.
  5. Click the Update button.

Accessing the Application Composition Report

Within SonarQube, you are provided with basic summary information for the Application, as well as a link to the associated Application Composition Report. To access the detailed information provided by this report, click on the Full Report link displayed in the IQ Server Report Summary widget in your project.