I have a case where our NXIQ is broken into multiple Orgs under the Root. These orgs have different requirements and therefore policy levels, so we have slightly different policies on each org. We have new applications spring up with some regularity and so have configured the “Auto-create application” option in the server.
Unfortunately, this means that we need to upload all new applications to a common org as a “dumping ground” with a lowest-common denominator policy before manually transferring them to the correct org (and the correct policy). This means that the initial upload goes to the wrong org with potentially the wrong policy.
My ask is to allow the maven plugin to be configured to have an Org or OrgID passed in and the plugin will create the application in the correct org (if it doesn’t exist) and then scan against the correct org’s policy. Without this, we can’t put our apps into a blocking mode as the first scan is always non-blocking, but subsequent ones may be and we have to frequently check in with NXIQ to see new applications.
I will lay odds that this change may also require that an api user that is set up for scanning apps in a CI/CD pipeline would need the Create Apps permission, or you would need to move the “Auto-create” switch into a role, rather than a global configuration.
The IQ server API can test if an application is not already loaded and add it to the organization of your choosing. You would need to run a script before you scan with the Maven plugin but should solve your issue. Here is an example you could work from.
Thanks both. I hope that Sonatype considers this in the future as it makes the CI/CD process a bunch cleaner.
Chris, thanks for the snippet. We built something similar for our case, though it does feel like a hack to make up for an incomplete automation process. I really appreciate you taking the time to make and send this.