Menu
I have just started out trying to use Nexus IQ server to scan a Javascript based project of mine which uses libraries from npm and bower.
I am using the Jenkins Nexus Platfom Plugin and have configured a build step to connect to our Nexus IQ server instance. As part of the plugin I have configured it to scan for Javascript files within locations of the built project where the npm and bower dependencies are installed to.
The final report that gets generated on our Nexus IQ server is huge, in fact it reaches a limit of results (10000 rows) it can display and so is unable to display everything it finds.
I'm not 100% sure if I am doing things right here, and wondered whether anyone else out there has any experience of how to get sensible results from Nexus when scanning npm\bower installed dependencies.
I'm looking at the Licence Analysis section now and can see over 3000 rows of various 'Not supported' licence threats coming from libraries that havent directly been included in the project, e.g. listed in my projects package.json file, but I guess these are child dependencies of libraries I have specified to be installed.
Can anyone offer any advice on the best approach to getting Nexus IQ to handle Javascript projects that rely on npm\bower dependencies?
788
All that the NexusIQ needs to analyse a project, is:
package-lock.json to identify all dependencies, including transitive onespackage.json to build a dependecy tree (not available otherwise)That's what's enough to provide when performing a manual action Evaluate a file on an application.
For the jenkins plugin step, configure it e.g. as follows:
nexusPolicyEvaluation(
iqApplication: 'SampApp',
iqStage: 'build',
iqScanPatterns: [
[ scanPattern: '**/package-lock.json' ],
[ scanPattern: '**/package.json' ]
])
See: Steps to analyze using the Jenkins plugin
185
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
