Azure DevOps Nexus IQ Task - Scan Targets - Configuration unclear/incomplete

Sonatype Lifecycle & Repository Firewall
,
1

using: “Nexus IQ for Azure DevOps” v1.3.28 (classic mode)

Maybe someone could help me to understand how to configure the “Scan Targets” in the right way.

We have a node.js project which should be scanned. The following behave could be observed in the logs:

a) leaving “Scan Targets” empty
User input: scanTargetPatterns = **\*.jar, **\*.war, **\*.ear, **\*.zip, **\*.tar.gz
No files have been found to scan

b) entering “**”
User input: scanTargetPatterns = **
Scanned 16941 total files
additionally: as well “.git” folder is scanned

Also: no excludes are there (see below)

If we download manually the nexus cli scanner and use it, there are auto-excludes:

[INFO] Scan target: D:\Builds\xxxxxx\s\.
[INFO] Scan configuration properties:
[INFO]    dirExcludes=**/.*, **/CVS
[INFO]    dirIncludes=
[INFO]    fileExcludes=
[INFO]    fileIncludes=

Which raises more questions:

  1. Why are no auto-excludes in the Azure DevOps Task?
  2. How to configure excludes in the Azure DevOps Task?
2

Hey @jens.heidrich ,

Thanks for posting to the community. It seems your question has a lot in common with this idea. Take a look at Rishav’s answer, the team is currently working on the documentation to make Azure DevOps usage more clear.

1 Like