Java Application Analysis

NEW IN RELEASE 107

What is supported

Maven and Gradle projects by scanning their respective pom.xml and build.gradle manifest files.

Dependencies associated with other pom/gradle files or projects are not resolved. Each project is scanned independently.

Only build.gradle files written in Groovy are supported. 

What do we parse from a file?

pom.xml

Dependencies with group, artifact, and exact version are required and evaluated, extension and classifier are optional. For example:

<dependency>
  <groupId>org.example</groupId>
  <artifactId>ACME-business</artifactId>
  <version>1.0-SNAPSHOT</version>
</dependency>

Test and provided dependencies are not evaluated.

build.gradle

Dependencies with group, artifact, and exact version are required and evaluated, extension and classifier are optional. For example:

dependencies {
  compile  'org.example:ACME-business:1.0-SNAPSHOT'
}

The following dependency scopes are supported: "api", "apiElements", "compileClasspath", "implementation", "compileOnly", "compileOnlyApi", and "compile".  Other dependency scopes are not evaluated.


Steps to analyze using the Nexus IQ CLI

Run a Nexus IQ scan

Invoke a Nexus IQ CLI scan of a directory or subdirectories containing pom.xml or build.gradle files.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example pom.xml file

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.example</groupId>
   <artifactId>ACME-Consumer</artifactId>
   <packaging>pom</packaging>
   <version>1.0-SNAPSHOT</version>
   <modules>
      <module>Consumer-Service</module>
      <module>Consumer-Data</module>
   </modules>
   <properties>
      <commons.version>2.6</commons.version>
   </properties>
   <dependencyManagement>
      <dependencies>
         <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>${commons.version}</version>
         </dependency>
         <dependency>
            <groupId>org.example</groupId>
            <artifactId>ACME-data</artifactId>
            <version>1.0-SNAPSHOT</version>
         </dependency>
      </dependencies>
   </dependencyManagement>
</project>

Output from Nexus IQ CLI

Nexus Lifecycle Dashboard Results

Nexus Lifecycle Report Results

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the pom.xml, or build.gradle files. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/pom.xml' ], [scanPattern:  '**/build.gradle']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.