Nexus IQ for Bamboo


Getting Nexus IQ for Bamboo up and running is not difficult. However, there are a few things we expect you to have completed prior to getting started.

If anything in the list above looks completely new, or has not been completed, bring everything to a full stop. Even if you aren’t responsible for those areas of IQ Server, you will need to have them complete before configuring Nexus IQ for Bamboo.

Once you are ready, download Nexus IQ for Bamboo.

Install Nexus IQ for Bamboo

You should have the Nexus IQ for Bamboo file downloaded. Now would be a good time to double-check the location you saved it to. That’s something easy to forget. Got it? Good. Now, follow these steps:

Nexus IQ for Bamboo has been rebranded in version 1.0.7 and as such has a new distribution name. When upgrading to 1.0.7 it is important you first uninstall Sonatype CLM for Bamboo before continuing with the installation.

  1. First, access Bamboo’s Add-ons/apps administration by clicking the Gear icon (within Bamboo) and then clicking Add-ons/Manage apps from the drop-down list.
  2. Next, click the Upload Add-on/app link. A modal will display, allowing you to specify a file, or a URL location. In this example, we’ll be using the file you downloaded previously.
  3. Choose the location of the Nexus IQ for Bamboo file, click Open, and then the Upload button. The upload only takes a few seconds, but during this time, a progress modal will display.
  4. Upon successful upload, a confirmation modal will display giving you a bit of information about the plugin. Click Close.

Awesome job! If everything went as planned, Nexus IQ for Bamboo is now listed under User-installed add-ons. Let’s head to the next step, configuration.

In most cases, pausing your Bamboo server is a good idea. Also, if you ever decide to uninstall Nexus IQ for Bamboo, you can do it from the Manage add-ons area as well.

Configure Nexus IQ for Bamboo

Now you are ready to configure Nexus IQ for Bamboo. You should be in the Bamboo administration area.

  1. In the left-hand navigation area / menu, locate a section titled Nexus IQ. In that section, click on the Configuration link to open the Nexus IQ Server Configuration window:
  2. Enter the IQ Server URL - the URL for your IQ Server.
  3. Select an Authentication Method:
    1. PKI Authentication: Delegate to the JVM for authentication.
    2. User Authentication: Enter a username and password for authentication.

      We recommend that you create a unique machine account that has access to the application(s) you wish to link to your Bamboo Build(s)/Plans.

  4. Click the Save button. Your configuration is saved, displaying the application(s) the user has access to.

Adding the IQ Analysis Task

So now it’s time to put everything you did to install and configure Nexus IQ for Bamboo to good use and add an IQ Analysis Task.

The IQ Analysis Task is available once you’ve installed and configured Nexus IQ for Bamboo. The following steps will walk you through adding this new task to a job.

  1. After navigating into a Bamboo Project > Plan > Stage > and then Job, select the Tasks tab and then click on the Add task button.
  2. A modal display offering a list of Task Types. The IQ Policy Evaluation is listed in the Test type, or you can simply use search.
  3. Enter the following information:
    1. Task Description: a simple description to remember what the task does.
    2. Fail build when IQ Server is unable to evaluate: check this option if you want to fail the build when an IQ evaluation can’t be performed. Once checked, if for any reason the evaluation is not generated, the build will be failed. An example of this might be if the IQ Server is inaccessible. In the same example, but where the Fail the build option is left unchecked, the build would continue as it would have normally.

      Details of the application evaluation are provided in the job/build-specific log.

    3. Organization (optional): the list of Organizations retrieved from the Nexus IQ Server. An organization ID can also be specified directly. If an organization is selected and automatic application creation is enabled, a new application will automatically be created under the selected organization, if it does not already exist on the IQ Server.
    4. Application: the list of Applications corresponds to the account used during Nexus IQ for Bamboo configuration. Remember, this is the Application containing the policies that components in the build will be evaluated against. An application can also be specified that is not in the list. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not already exist on the IQ Server.
    5. Stage: this corresponds to the stage you wish the policy evaluation of the application/project to be run against. Additionally, this will correspond to the stage location when viewing report information via the IQ Server. For example, if you chose the Build stage, summary and dashboard violation results will be displayed accordingly.
    6. Scan Targets: the scan targets setting allows you to control which files should be examined with an Apache Ant styled pattern. The pattern is relative to the project workspace root directory and inherits the global configuration.
    7. Module Excludes: if you are using the Sonatype CLM for Maven plugin, module files are created, and can contribute to results found during an evaluation. For information on how to exclude these files, please see Sonatype CLM for Maven.
  4. Click the Save button.

Adding the IQ Analysis Task via YAML Specs

Bamboo YAML specs allows you to define Bamboo configuration as code, this way you can have your build plans automated by fetching its configuration from a file inside the repository. More details about Bamboo Specs are available here.

  1. Bamboo looks for either bamboo-specs/bamboo.yml or bamboo-specs/bamboo.yaml files. You should have them created in your repository.
  2. Don't forget to allow Bamboo to scan the linked repository for Specs: Go to Bamboo Administration (Gear Icon) > Linked repositories, select the repository containing the spec file, click the Bamboo Specs tab and activate the Scan for Bamboo Specs button.
  3. Here is a sample Bamboo specs file for a simple plan executing two tasks:

    version: 2
      project-key: PK
      key: IQ
      name: NexusIQPlan
      description: Integrating Nexus IQ Bamboo Plugin
    - Default Stage:
        manual: false
        final: false
        - Default Job
    Default Job:
      key: JOB1
      - checkout:
          force-clean-build: 'false'
          description: Checkout Default Repository
      - maven:
          executable: Maven 3
          jdk: JDK 17.0.4
          goal: clean test
          tests: 'true'
          description: Clean Test Sample Project
      artifact-subscriptions: []
    - SampleRepository:
        scope: global
    - polling:
        period: '180'
      create: manually
      delete: never
      link-to-jira: true
    notifications: []
    labels: []
      require-all-stages-passing: false
      enabled-for-branches: true
      block-strategy: none
      plans: []
      concurrent-build-plugin: system-default
  4. To add the IQ Policy Evaluation Task, you should add an any-task block containing the Nexus IQ configuration, under tasks section of the spec:

    - any-task:
    	  description: Bamboo Task
            failOnClmFailures: 'true'      
            clmOrgIdType: specified
    	  	clmOrgId: iq-org
            clmAppIdType: specified
    	  	clmAppId: iq-app
    		clmStageType: specified
            clmStageTypeId: build
            clmScanTargets: '**/*.jar'        
            clmModuleExcludes: '**/my-module/target/**'

    IQ Policy Evaluation Task Configuration Properties:

    KeyDescriptionRequiredAccepted values
    plugin-keyThe plugin identifier within Bamboo: The plugin's module used in the task. You can find the Nexus IQ plugin information in the Add-ons/apps administration section in
    descriptionThe task description to remember what the task does.falseDefault: empty
    failOnClmFailuresIf set to true the build will fail when an IQ evaluation can’t be performed or if for any reason the evaluation is not generated.
    • true
    • false (default)
    clmOrgIdTypeWhether the Nexus IQ Organization ID is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.false
    • specified (default)
    • selected
    clmOrgIdThe Organization ID assigned in Nexus IQ Server. falseDefault: none
    clmAppIdTypeWhether the Nexus IQ Application ID is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.true
    • specified
    • selected
    clmAppIdThe Application ID assigned in Nexus IQ Server. If automatic application creation is enabled, an application with the specified ID will automatically be created if it does not exist in Nexus IQ Server.true
    clmStageTypeWhether the Stage the policy evaluation runs is specified or selected from a list. In the Bamboo Specs scope any of the accepted values is valid.true
    • specified
    • selected
    clmStageTypeIdThe Stage ID for which the policy evaluation of the application/project runs.true
    • develop
    • source
    • build
    • stage-release
    • release
    • operate
    clmScanTargetsA comma-separated list of Ant-style patterns relative to the workspace root that denote the files/archives to be scanned.falseDefault: **/*.jar, **/*.war, **/*.ear, **/*.zip, **/*.tar.gz
    clmModuleExcludesA comma-separated list of Ant-style patterns relative to the workspace root that denote the module information files (**/nexus-iq/module.xml) to be ignored.falseDefault: none
  5. The first time you update the YAML Spec in your linked repository, you should see a successful build in the Bamboo's Plan Summary:
  6. The subsequent changes on the YAML Spec will trigger the Plan build in Bamboo and in the Build Result Summary you can see the code commits.

Reviewing IQ Policy Results

After your Bamboo job has completed, and your application has been successfully evaluated by the IQ Server, a summary of the results will be provided on the Job Summary page. The summary results give a breakdown of the three threat level categories for policy:

  • Critical (8-10)
  • Severe (4-7)
  • Moderate (2-3)

In addition to counts for each of these categories, a status for the success of the evaluation is provided, as well as a link to the Full Report located on your IQ Server is also provided. These are located just to the left of the summary results.

In the event IQ should encounter an issue during the evaluation related to the IQ Server itself, this will be indicated by one of three statuses: Passed, Passed with Warnings, or Failed.