Bom scan does not generate a report

Fabio_Victoriano · February 26, 2026, 2:49pm

Description:
We have a centralized CI pipeline (Azure DevOps) setup that runs across our solutions. As part of the CI process, we perform a Sonatype scan using the NexusIqPipelineTask. The task uses, on the scanTargets property, the path for the SBOM file that is produced earlier during the process.

Problem:
In a specific case, the process diverges:

The SBOM file is successfully generated and contains the expected dependency information.
However, the NexusIqPipelineTask step generates an empty report and no components are identified.

Observed Behavior:

SBOM file exists and appears correct (we can see the expected dependencies).
NexusIQ report is empty; no components or vulnerabilities are identified.

fcoene · March 11, 2026, 1:51pm

Afaik, this is not supported via the nexus-iq-cli yet, you need to call the API directly:
https://help.sonatype.com/en/third-party-scan-rest-api.html

jzora · March 11, 2026, 2:02pm

Hi, Fabio!

Since you have Lifecycle, you’re a Sonatype customer, which means you’re entitled to support from our Support team. An empty report is definitely something they can help you with; if you haven’t resolved the issue yet, I’d suggest opening a support ticket.

Fabio_Victoriano · March 11, 2026, 2:20pm

Thanks both, this has since been solved by using the latest version of the nexus task