Thanks for choosing Insight for CI. This page is aimed at highlighting the features of our plugin, as well as getting you up and running as quickly as possible. For information regarding other Sonatype products, please visit our site at www.sonatype.com.
*Note: Installation of the Insight Plugin is available through the Plugin Manager. If you experience difficulty, you can download the plugin directly from our support site.
The Sonatype team is committed to making the best products possible. We know that begins with feedback from you. If you have any comments or questions, please contact us or submit feedback through our support site.
The latest release adds a new Key Findings area to the summary page, as well as the ability to export the report to PDF.
Insight for CI analyzes every component in every build, including dependencies, to help you find and fix license, security and quality problems quickly.
Note: Basic information is provided at no charge. However, to access detailed information for your components, including specifics about security vulnerabilities and license issues, as well as the Audit functionality, you will need to purchase a subscription to Insight for CI. For more information refer to the Insight product page.
Once you have installed, configured, and built your project at least once since configuring the Insight Plugin, new icons will be present. At the main projects view, you will notice a shield and badge icon are present at the end of the row. Clicking on these icons will take you to the Insight report.
In addition, if you are viewing a current project page, you will see the Insight Plugin link, as well as the badge and security icons with associated counts.
At build time, Insight will display the status of your open source components, all presented in an easy-to-read report. The first section, Key Findings will display the three, highest-rated security vulnerabilities found during the scan. In addition, your scan will include detailed information regarding all other security vulnerabilities, as well as any license issues that may have been identified. It is important to note that not only exact matches are included, but also those that may be similar.
Each time you build your project Insight will perform an analysis and return the most up-to-date, detailed component information. This includes showing the components within the application and their match state to public components. To drill down even deeper, take a look at the Components Information Panel, or CIP, on the three main tabs (Components, Security, and License). Here, information about the component, and visualization of version popularity with license and security details for all versions of the component are listed.
Note: Basic information is provided at no charge. However, to access detailed information for your components, including specifics about security vulnerabilities and license issues, as well as the Audit functionality, you will need to purchase a subscription to Insight for CI. For more information refer to the product page.
Prior to running your build, you can configure Insight to take action if security vulnerabilities are found. Specifically, you can fail builds when components have known security vulnerabilities.
When security vulnerabilities or license issues are identified within your project, you can track the status of these issues, as well as add detailed notes and comments. This allows you or your team to review the history of any audits made, as well as allow builds to pass if a particular issue does not affect your project.
If you have paid for a subscription, you will have access to your data on the Security and License tabs of the report. On the Security tab you can get detailed information about an vulnerabilities, as well as track the status of any ongoing or completed research. The status of a vulnerability can be set to Open, Acknowledge, Not Applicable, or Confirmed. In addition, you can add any associated notes, which will also be recorded in the Audit log. It is important to note, that if you are using the option to fail the build when a vulnerability is present, only the Not Applicable option will reduce the overall security count.
If you have paid for a subscription, you will have access to your data on the Security and License tabs of the report. On the License tab, you can get detailed information about any declared (found in the POM) or observed licenses (those associated with sources), as well as track the status of any ongoing or completed research. The status of a License issue can be set to Open, Acknowledged, Overridden, or Confirmed. Overriding the license will reduce the license issue count displayed on the summary, and place the license issue at the bottom of the grid. This can always be "undone" by changing the status back to open. All changes are tracked, and can be reviewed via the Audit Log.
Insight for Jenkins allows you to export a the current report into a PDF format. This can be useful for archival purposes, as well as distributing to other members of your team more easily. The summary report is visually similar to the report in Jenkins, and includes:
Note: PDF generation may require additional JVM permgem memory. In our testing a Sun 1.7 64bit JVM appears to default to 85 MB of permgen and occasionally we hit that limit. If you plan on using the pdf export feature you will want to consider the additional memory needed for your CI installation.
Note: Installing the Sonatype CI Plugin includes the installation of Insight. If for any reason you are unable to install via the plugin manager, you can download and install it manually. To download the Insight for CI plugin refer to our support site.
For most users, the default configuration options are suitable. However, once you have enabled the Insight Post-build Scan option you can set additional parameters.
Skip to end of metadata Go to start of metadata