A plugin for integrating Nexus Repository Manager and Nexus Lifecycle into a Jenkins job. Information about using the plugin can be found in Nexus Platform Plugin for Jenkins.
Please use the links below to find information about using the plugin with your desired software
- Add support for scanning SPDX version 2.3 files.
- Provide latest features for Nexus Lifecycle 1.166.0-01.
- Add support for scanning Java class binaries produced by Java 19 and 20.
- Provide latest features for Nexus Lifecycle 1.165.0-01.
- Provide latest features for Nexus Lifecycle 1.164.0-01.
- Provide latest features for Nexus Lifecycle 1.163.0-01.
- Add full support for Java 17
- Provide latest features for Nexus Lifecycle 1.162.0-01.
- Provide latest features for Nexus Lifecycle 1.161.0-01.
- Provide latest features for Nexus Lifecycle 1.160.0-01.
- Provide latest features for Nexus Lifecycle 1.159.0-01.
- For remote image scanning, environmental variables NEXUS_CONTAINER_IMAGE_REGISTRY_USER and NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD are not required and are now optional for public images.
- Provide latest features for Nexus Lifecycle 1.158.0-01.
- Provide latest features for Nexus Lifecycle 1.156.0-01.
- Provide latest features for Nexus Lifecycle 1.155.0-01.
- Provide latest features for Nexus Lifecycle 1.153.0-01.
- Provide latest features for Nexus Lifecycle 1.152.0-01.
- Removing support for scanning IaC targets
- Provide latest features for Nexus Lifecycle 1.151.0-01.
- Scanning local images does not require providing environmental variables.
- To scan remote images, the user will now have to provide only these variables:
- NEXUS_CONTAINER_IMAGE_REGISTRY_USER
- NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD
- Provide latest features for Nexus Lifecycle 1.150.0-01.
- Fix for an edge case where the policy evaluation pipeline stage is marked UNSTABLE even though no policy violations are present.
- Provide latest features for Nexus Lifecycle 1.149.0-01.
- Provide latest features for Nexus Lifecycle 1.147.0-01.
- Provide latest features for Nexus Lifecycle 1.146.0-01.
- Policy evaluation stage is marked according to policy actions.
- Fix dependency conflict with certain versions of the credentials plugin.
- Provide latest features for Nexus Lifecycle 1.145.0-01.
- Add the organization ID parameter, used for automatic IQ apps
- Fixing Nexus IQ Build Report to properly show the icon for "notify" actions
- Provide latest features for Nexus Lifecycle 1.144.0-05.
- Using lightweight Nexus Java API to reduce complexity on class loading for the plugin
- Provide latest features for Nexus Lifecycle 1.143.0-01.
- Improving summary message for policy evaluations
- Provide latest features for Nexus Lifecycle 1.142.0-02.
- Provide latest features for Nexus Lifecycle 1.141.0-01.
- Provide latest features for Nexus Lifecycle 1.139.0-01.
- Provide latest features for Nexus Lifecycle 1.138.0-01.
- Provide latest features for Nexus Lifecycle 1.137.0-05.
- Provide latest features for Nexus Lifecycle 1.136.0-01.
- Add support for scanning Java class binaries produced by Java 18.
- Fix a
IllegalAccessError
that prevents the plugin to run properly in certain cases.
- Fix a
NoSuchMethodError
exception that prevents the plugin to run in certain cases. - Provide latest features for Nexus Lifecycle 1.135.0-01.
- Provide latest features for Nexus Lifecycle 1.134.0-02.
- Provide latest features for Nexus Lifecycle 1.133.0-02.
- Reduce logging on INFO level
- Provide the latest features for Nexus Lifecycle 132
- Bug Fix for False Positives in Image Scans
- Added support for scanning IaC targets
- Conda Matching Improvements
- Cran and Cargo Matching Improvements
- Updated the min Jenkins version required to 2.249.1
- Removed obsolete dependencies
- Added support for multiple Nexus IQ Servers.
- Fixed java.lang.NoClassDefFoundError: io/jenkins/cli/shaded/org/xml/sax/ContentHandler.
- Added support for scanning Java class binaries produced by Java 17.
- Added support for using environment variables and credentials for required values for container scanning
- Made default mount folder for nexus container analysis workspace temp folder
- Bug fixes
- NPM manifest file scans now include dependency information and can identify InnerSource components
- Made mount folder for nexus container analysis customisable
- Made default mount folder /tmp for nexus container analysis
- Improvements in log statements for nexus container analysis
- Bug fixes
- Handle yarn v2 files
- Exclude package-lock.json in favour of npm-shrinkwrap.json
- Bug fixes
- Add change log for 3.11.20210716-075132.3b66565 (July 16, 2021)
- Add support for nexus container analysis
- Make build unstable on scan error
- Delete temp files from scan after eval
- Send licensed features into the scanner
- Fix runtime error due to stax2 conflict
- Add jenkins version to user agent
- Added support for scanning Java class binaries produced by Java 16.
- Fix XStream parser error when scanning nuget manifests
- Fix a regression in configuring the Policy Evaluation task in the UI.
- Added scanning and application/package analysis support for Java using a pom.xml or build.gradle file.
- Added a Global Configuration option to remove direct IQ reporting of policy violations from Jenkins.
- Update the resultant structure to include the nested dependencies to form a dependency tree when scanning a module.xml file.
- Added scanning and application/package analysis support for the following ecosystems:
- NPM using files : yarn.lock, pnpm-lock.yaml, package-lock.json, npm-shrinkwrap.json
- Nuget using packages.config file or .csproj files
- Added support for running the plugin with Java 11 and 14.
- Added support for scanning Java class binaries produced by Java 14 and 15.
- Added flag to enable debug logging.
- Added scanning and application/package analysis support for Conan using a conaninfo.txt file (in addition to the files conanfile.txt and conanfile.py).
- Added scanning and application/package analysis support for Golang using a go.list file (in addition to the file go.sum).
- Added scanning and application/package analysis support for the following ecosystems:
- Alpine
- Conda
- Debian
- Drupal
- R (Cran)
- Rust (Cargo)
- Swift (Cocoapods)
- Yum
- Use policy violation counts instead of component counts in the policy evaluation summary
- Fixed an issue with y-axis labels on the new trend graph
- Fix to ensure that all Nexus IQ for SCM logging goes to the build log instead of the server log
- Fix additional marshalling issue with new trend graph
- Fix marshalling issue with new trend graph
- Fix issue with y-axis number on new trend graph
- Add Nexus IQ Build Report which shows details for warn/fail vulnerabilities
- Support slave nodes for automatic repository URL discovery for usage with Nexus IQ for SCM
- Add trend graph to a Pipeline, which depicts the information about the last 5 builds with critical, severe and moderate violation numbers
- Support to scan and evaluate Clair identified container dependencies
- Support to scan and evaluate identified dependencies from a CycloneDX SBOM file
- Support for automatically deducing the repository URL for usage with Nexus IQ for SCM
- Support for automatically deducing git commit hash for usage with Nexus IQ for SCM
- Nexus IQ 1.69 or newer is a required upgrade to use the Nexus Platform Plugin
- Support for Scanning Go Modules
- Mitigate IQ Server Client Timeouts
- Add messages about Nexus Vulnerability Scanner to the plugin
- Add ability to provide custom/advanced properties to IQ scanner
- Fix for environmental variables not getting resolved in the tags field
- Support for Java 12 IQ evaluations
- Support for Scanning Python Wheel Packages
- Support for Java 10, 11 IQ evaluations
- Support for Python coordinate detection via requirements.txt files
- Support for multiple policy evaluations per Jenkins job
- Added application name and IQ stage to the entries in the build results
- Renamed the "Application Composition Report" to "Nexus IQ Policy Evaluation"
- [Fixed] Could not connect to Nexus Repository servers exposed over HTTPS
- [Fixed] Proxy settings were not respected when verifying connection to Nexus Repository
- [Fixed] IQ application list incorrect for jobs configured to use job specific credentials
- [Fixed] Environment variables weren't expanded for manual application IDs
- [Fixed] When configuring the 'Invoke Nexus Policy Evaluation' build step, the 'module excludes' field is not persisted on save.
- [Fixed] Jenkins Platform Plugin unable to determine Nexus Repository Manager version using Server URL with trailing slash
- [Fixed] Jenkins plugin fails requests when Nexus is not at base context path
- Add link to plugin documentation for NXRM3 to readme
- The plugin will now emit a warning when the scanner encounters an invalid JAR file:
"[WARN] Could not open some.jar as an archive. Will scan it as regular file."
- Nexus IQ 1.50 or newer is a required upgrade to use the Nexus Platform Plugin
- Support for Nexus IQ Policy Violation Grandfathering.
- Fixed snippet generation.
- New build step available for tag association
- Move components using NXRM3 search criteria from Pipeline
- Added support of Nexus Repository Manager 3.13.0-01 servers for Maven component uploads, and new staging features (for Pro versions): tags, move, and delete.
Please see Nexus Platform Plugin for Jenkins for more details.
- Fixes for recording of component occurrences
- Log additions for automatic application creation
- UI fixes for chiclet style on older versions of Jenkins
- Nexus IQ 1.47 or newer is a required upgrade to use the Nexus Platform Plugin
- Support for Nexus IQ automatic application creation
-
Pipeline jobs using the plugin will now fail during execution if a policy action is set to fail the build. This is different from previous behavior which would set the build result to failure but allow the build to continue. This is adopting standard practice for Jenkins pipeline plugins and allows more visibility into what has failed and why. Pipelines that require continuation of the build will have to surround the plugin step with try catch, where the evaluation information is now wrapped in the exception argument.
-
The pipeline step has always returned a model for the evaluation containing information about the results. The ApplicationPolicyEvaluation will no longer include a boolean for reevaluation therefore calls to get or set this will fail. The Jenkins pipeline has never supported reevaluation and this boolean has always returned false. For simplification, it has been removed.
- Module.xml evaluation support. The Nexus Platform Plugin for Jenkins now supports policy evaluations against results generated by the clm-maven-plugin index goal. The new plugin will scan module.xml files available in '/sonatype-clm/module.xml', '/nexus-iq/module.xml' and will support module exclude patterns to exclude these files if desired.
- Fix for directory structure of JavaScript files scanned by the plugin
- No longer requires optional parameters to be declared in declarative pipelines
- All users can now select credentials for jobs as long as they have the appropriate permissions to configure the job and view the credentials
- Whitelist updates to support JEP-200
- Support for Java 9 IQ evaluations
- Update upstream dependencies to consume latest IQ server Application Evaluation result
- Fix for throwing serializable exception upon client exception
- Support for Docker image evaluations
- Support for credentials in Folder stores
- Support for Certificate credentials through the Credentials Plugin
- Support for Nexus Publish when remote agent is used for build.
- Fix for connection pool saturation when publishing many components.
- Initial release to the Jenkins Update Center.
Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
This program is licensed to you under the Apache License Version 2.0,
and you may not use this file except in compliance with the Apache License Version 2.0.
You may obtain a copy of the Apache License Version 2.0 at http://www.apache.org/licenses/LICENSE-2.0.
Unless required by applicable law or agreed to in writing,
software distributed under the Apache License Version 2.0 is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the Apache License Version 2.0 for the specific language governing permissions and limitations there under.