sonatype/nexus-iq-cli

By sonatype

Updated 13 days ago

Image
5

1M+

nexus-iq-cli

This Docker image wraps the Sonatype IQ CLI. It performs a component intelligence evaluation against the files in the mounted workspace.

Usage

docker run sonatype/nexus-iq-cli /sonatype/evaluate [options] <files or directories to scan>
Example

Assuming the content to be evaluated is in the mycontent directory (on the host machine) and the policy evaluation results should be stored in the myresults directory (on the host machine), the command will be:

docker run -v mycontent:/target -v myresults:/sonatype/reports sonatype/nexus-iq-cli /sonatype/evaluate -s https://iq.myCompany.com -a user:password -i WEBAPP /target/our-web-app.war

In case the target folder name contains a space, wrap the target passed in within single quotes and escape the space by using backslash. As an example, given the folder name 'target folder', the following syntax should be used:

'/target\ folder/our-web-app.war'

Available Options

Required:
  • URL to the IQ Server that will evaluate policies
      -s, --server-url <http[s]://...>
  • Authentication credentials to use for the IQ Server
      -a, --authentication <username:password>
  • Public ID of the application on the IQ Server
      -i, --application-id <app ID>
Optional:
  • The stage to run analysis against. Accepted values: develop | source | build | stage-release | release | operate. Default: build
      -t, --stage <stage>
  • The ID of an organization on the IQ Server. This determines the organization under which the application will be created in case the application doesn't exist and the automatic application creation configuration is enabled.
      -O, --organization-id <organization ID>
  • Path to a JSON file where the results of the policy evaluation will be stored in a machine-readable format. Default: none
      -r, --result-file </path/to/file.json>
  • Fail on policy evaluation warnings. Default: false
      -w, --fail-on-policy-warnings
  • Ignore system errors (IO, network, server, etc). Default: false
      -e, --ignore-system-errors
  • Ignore scanning errors (Corrupt files or malformed files, etc). Default: false
      -E, --ignore-scanning-errors
  • Proxy to use. Default: none
      -p, --proxy <host[:port]>
  • Credentials to use for the proxy. Default: none
      -U, --proxy-user <username:password>
  • Enable debug logs. WARNING: This may expose sensitive information in the log. Default: false
      -X, --debug
  • Show the help screen. Default: false
      -h, --help
  • Runs Call Flow Analysis.
      -c, --code-flow-analysis
  • Runs Call Flow Analysis for the given namespaces. Can be specified more than once, e.g: -cn namespace1 -cn namespace2
      -cn, --code-flow-analysis-namespaces <namespace>

Collecting Git information

This docker image can also collect Git information like the commit hash and repository URL, which are sent to Nexus IQ as part of the evaluation.

To enable it, the mounted workspace must contain the .git folder and the image must be made aware of it via the GIT_DIR environment variable.

Example

Assuming the content to be evaluated is in the current directory (on the host machine) and it contains the .git folder directly under the current directory, the command will look like:

docker run --env GIT_DIR=/target/.git -v $(pwd):/target sonatype/nexus-iq-cli /sonatype/evaluate -s https://iq.myCompany.com -a user:password -i iq-application '/target/**/*.jar'

This approach depends on the .git folder actually being part of the mounted folder.

Scanning Docker Images via Nexus Container

It is also possible to scan a docker image instead of a component. The docker image to be scanned can be a local image, an image in a public registry or an image in a private registry.

For scanning remote images, the following environmental variables need to be passed in, if the image is private. These are the credentials to the registry where the private remote image you are scanning is at. If the image is publicly available, they are not needed.

NEXUS_CONTAINER_IMAGE_REGISTRY_USER
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

An example for scanning a local docker image would be as follows:

docker run --rm -v ~/sonatype/reports:/sonatype/reports -v /var/run/docker.sock:/var/run/docker.sock sonatype/nexus-iq-cli sonatype/evaluate -s https://iq.server -a user:password -i app-name container:alpine:3.6

The final parameter can be changed as follows for scanning a remote image:

container:https://registry.hub.docker.com/library/alpine:3.4

In this case, if the image is private, environmental variables must be provided as follows:

-e NEXUS_CONTAINER_IMAGE_REGISTRY_USER=registry-username -e NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD=registry-password

This feature is currently not supported on Windows machines.

A mount path is required for container scans in versions 1.183.0 and earlier. The following command applies specifically to these versions:

docker run --rm -v ~/sonatype/reports:/sonatype/reports -v /tmp:/tmp -v /var/run/docker.sock:/var/run/docker.sock sonatype/nexus-iq-cli sonatype/evaluate -s https://iq.server -a user:password -i app-name container:alpine:3.6

To change the mount path, set the NEXUS_CONTAINER_SCANNING_MOUNT_PATH environment variable. Additionally, volume mapping must be modified as shown below:

-e NEXUS_CONTAINER_SCANNING_MOUNT_PATH=/Users/home/custom-tmp-folder -v /Users/home/custom-tmp-folder:/Users/home/custom-tmp-folder

Release notes

Full release notes for the Sonatype IQ CLI docker image are available here.

Full IQ Server release notes are available here.

Docker Pull Command

docker pull sonatype/nexus-iq-cli