Java Application Analysis

NEW IN RELEASE 107

What is supported

Maven and Gradle projects by scanning their respective pom.xml and build.gradle manifest files.

Dependencies associated with other pom/gradle files or projects are not resolved. Each project is scanned independently.

Only build.gradle files written in Groovy are supported. 

What do we parse from a file?

pom.xml

Dependencies with group, artifact, and exact version are required and evaluated, extension and classifier are optional. For example:

<dependency>
  <groupId>org.example</groupId>
  <artifactId>ACME-business</artifactId>
  <version>1.0-SNAPSHOT</version>
</dependency>

Test and provided dependencies are not evaluated.

build.gradle

Dependencies with group, artifact, and exact version are required and evaluated, extension and classifier are optional. For example:

dependencies {
  compile  'org.example:ACME-business:1.0-SNAPSHOT'
}

The following dependency scopes are supported: "api", "apiElements", "compileClasspath", "implementation", "compileOnly", "compileOnlyApi", and "compile".  Other dependency scopes are not evaluated.

Integrations with Java scanning support

For pom.xml

  • CLI from version 107
  • Jenkins from version 3.11.20210308-082521.0d183ff
  • Bamboo - Coming Soon

For build.gradle

  • CLI from version 107
  • Jenkins from version 3.11.20210308-082521.0d183ff
  • Bamboo - Coming Soon

Steps to analyze using the CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing pom.xml or build.gradle files.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example pom.xml file

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.example</groupId>
   <artifactId>ACME-Consumer</artifactId>
   <packaging>pom</packaging>
   <version>1.0-SNAPSHOT</version>
   <modules>
      <module>Consumer-Service</module>
      <module>Consumer-Data</module>
   </modules>
   <properties>
      <commons.version>2.6</commons.version>
   </properties>
   <dependencyManagement>
      <dependencies>
         <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>${commons.version}</version>
         </dependency>
         <dependency>
            <groupId>org.example</groupId>
            <artifactId>ACME-data</artifactId>
            <version>1.0-SNAPSHOT</version>
         </dependency>
      </dependencies>
   </dependencyManagement>
</project>

Output from CLI

Dashboard results

Report results

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the pom.xml, or build.gradle files. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/pom.xml' ], [scanPattern:  '**/build.gradle']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.