Sonatype CI Plugins

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID sonatype-ci Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
1.3
Jan 10, 2013
1.395
Source Code
Issue Tracking
Maintainer(s)
GitHub
Open Issues
Stuart McCulloch (id: mcculls)
Usage Installations 2012-Sep 26
2012-Oct 104
2012-Nov 140
2012-Dec 164
2013-Jan 193
2013-Feb 207
2013-Mar 216
2013-Apr 245
2013-May 238
2013-Jun 242
2013-Jul 238
2013-Aug 236

Thanks for choosing Insight for CI. This page is aimed at highlighting the features of our plugin, as well as getting you up and running as quickly as possible. For information regarding other Sonatype products, please visit our site at www.sonatype.com.

*Note: Installation of the Insight Plugin is available through the Plugin Manager. If you experience difficulty, you can download the plugin directly from our support site.

Feedback and Support

The Sonatype team is committed to making the best products possible. We know that begins with feedback from you. If you have any comments or questions, please contact us or submit feedback through our support site.

Latest Features

The latest release adds a new Key Findings area to the summary page, as well as the ability to export the report to PDF.

  • Key Findings - Key findings displays the three highest rated security vulnerabilities discovered during the Insight scan of your project.
  • Export to PDF - To assist those users looking to archive their reports, or distribute/share the report, you can now create a PDF version of the report

Insight for CI Plugin at a Glance

Insight for CI analyzes every component in every build, including dependencies, to help you find and fix license, security and quality problems quickly.

Key Features

  • Comprehensive Security and License Analysis
  • Detailed Component Information*
  • Fully-customizable Policy Options
  • Integrated Audit Capabilities*

Note: Basic information is provided at no charge. However, to access detailed information for your components, including specifics about security vulnerabilities and license issues, as well as the Audit functionality, you will need to purchase a subscription to Insight for CI. For more information refer to the Insight product page.

Accessing the Report

Once you have installed, configured, and built your project at least once since configuring the Insight Plugin, new icons will be present. At the main projects view, you will notice a shield and badge icon are present at the end of the row. Clicking on these icons will take you to the Insight report.

In addition, if you are viewing a current project page, you will see the Insight Plugin link, as well as the badge and security icons with associated counts.

Detailed Information Available At Build Time

At build time, Insight will display the status of your open source components, all presented in an easy-to-read report. The first section, Key Findings will display the three, highest-rated security vulnerabilities found during the scan. In addition, your scan will include detailed information regarding all other security vulnerabilities, as well as any license issues that may have been identified. It is important to note that not only exact matches are included, but also those that may be similar.

Component Analysis with Every Build

Each time you build your project Insight will perform an analysis and return the most up-to-date, detailed component information. This includes showing the components within the application and their match state to public components. To drill down even deeper, take a look at the Components Information Panel, or CIP, on the three main tabs (Components, Security, and License). Here, information about the component, and visualization of version popularity with license and security details for all versions of the component are listed.

Note: Basic information is provided at no charge. However, to access detailed information for your components, including specifics about security vulnerabilities and license issues, as well as the Audit functionality, you will need to purchase a subscription to Insight for CI. For more information refer to the product page.

Implement a Security Vulnerability Policy

Prior to running your build, you can configure Insight to take action if security vulnerabilities are found. Specifically, you can fail builds when components have known security vulnerabilities.

Component Audit Options

When security vulnerabilities or license issues are identified within your project, you can track the status of these issues, as well as add detailed notes and comments. This allows you or your team to review the history of any audits made, as well as allow builds to pass if a particular issue does not affect your project.

Edit Security Vulnerability

If you have paid for a subscription, you will have access to your data on the Security and License tabs of the report. On the Security tab you can get detailed information about an vulnerabilities, as well as track the status of any ongoing or completed research. The status of a vulnerability can be set to Open, Acknowledge, Not Applicable, or Confirmed. In addition, you can add any associated notes, which will also be recorded in the Audit log. It is important to note, that if you are using the option to fail the build when a vulnerability is present, only the Not Applicable option will reduce the overall security count.

Edit License Information

If you have paid for a subscription, you will have access to your data on the Security and License tabs of the report. On the License tab, you can get detailed information about any declared (found in the POM) or observed licenses (those associated with sources), as well as track the status of any ongoing or completed research. The status of a License issue can be set to Open, Acknowledged, Overridden, or Confirmed. Overriding the license will reduce the license issue count displayed on the summary, and place the license issue at the bottom of the grid. This can always be "undone" by changing the status back to open. All changes are tracked, and can be reviewed via the Audit Log.

Export to PDF

Insight for Jenkins allows you to export a the current report into a PDF format. This can be useful for archival purposes, as well as distributing to other members of your team more easily. The summary report is visually similar to the report in Jenkins, and includes:

  • A Summary Analysis
  • Detailed Security Issue Analysis
  • Detailed License Analysis

Note: PDF generation may require additional JVM permgem memory. In our testing a Sun 1.7 64bit JVM appears to default to 85 MB of permgen and occasionally we hit that limit. If you plan on using the pdf export feature you will want to consider the additional memory needed for your CI installation.

Install the Insight for CI Plugin

  1. From the Jenkins main screen, click on Manage Jenkins (located in the left-hand menu).
  2. In the menu that displays on the right, click Manage Plugins.
  3. Click the Available tab (this is the second tab from the left).
  4. Use the browser find function (Typically Ctrl/Command + F) or use the browser scroll function to find “Sonatype CI Plugins”.
  5. Click the check box to the left of the plugin name, scroll down to the bottom of the page, and click the Install.
  6. A progress bar is shown displaying the status of installation. When it displays “Success,” restart Jenkins for changes to take effect. Alternatively, you click check the box to restart Jenkins when installation is complete and there are no jobs running.

Note: Installing the Sonatype CI Plugin includes the installation of Insight. If for any reason you are unable to install via the plugin manager, you can download and install it manually. To download the Insight for CI plugin refer to our support site.

Configure the Insight for CI Plugin

  1. Open a project/job in Jenkins.
  2. Click configure from the menu on the left, the configuration screen will display to the right of the menu.
  3. Look for the Post-build actions section, click the “Add post-build action” button.
  4. If you have purchased a subscription, enter your Application ID, or leave it blank.
  5. Scroll to the bottom of the configuration screen, and click the Save button.
  6. If you have not already done so, accept the EULA (Note: this only displays the first time you enable the plugin, future jobs will not have this prompt).
  7. After the next build for this job/project, you will see a “Latest Insight Scan” link with results of your scan.

Additional Project-level Configuration Options

For most users, the default configuration options are suitable. However, once you have enabled the Insight Post-build Scan option you can set additional parameters.

Labels

Edit
plugins-misc plugins-misc Delete
plugin-report plugin-report Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.