Categorize your Lifecycle or Repository Java Components


Using your IQ server for a given organization, categorize all the components and build a summary report.

Basic Usage

For Nexus Lifecycle Users

In order to generate the Application Stack Analysis report, we will need to collect the inventory from your IQ Server using your IQ Server login. The downloaded client will connect to your IQ Server using the IQ Server rest APIs and will only have access to the data you have access to.

To see all the client options:

java -jar bom-client-1.12.jar -h

To generate an Application Stack Analysis report in one step:

java -jar bom-client-1.12.jar --iqUsername iq_user --iqUrl iq_server --reportingUsername portal_user --lifecycleStage develop|build|stage-release|release|operate --reportFileName

You will be prompted for your iqPassword and your portalPassword which are your IQ server and portal login passwords.

For Nexus Repository Pro Users

You will need to enable the RHC analysis from your repository manager by clicking the “ANALYZE” button. This will generate the an inventory for that proxied repository. If you don’t see the analyze button and you see “Health Check” numbers, the analysis has already been performed.

You will need to download a client jar that will extract the component inventory from the Nexus Repository Health Check (RHC) Report. The client will prompt you for your Nexus Repository credentials in order to access the RHC report.

The client jar is available on Google Drive:

java -jar healthcheck-transformer-all-1.0-SNAPSHOT.jar -s {nxrmServerUrlWithPort} -u {nxrmUsername} -p {nxrmPassword} -r {repositoryID} -o {output.json file}

You should be able to run the jar with command above, if you omit the password you will be prompted for one (in order to prevent screen watching).

The repository ID can be determined by last path parameter in the Repository Path. In the screenshot above, ours would be “central-proxy”.

For the server URL, you need to use the base URL of your Nexus Repository instance, so if it is hosted at the root of your domain, just https://{server}:{port}, but if it is nested it would be something like https://{server}:{port}/nexus.

If you are still having trouble, the client will accept a licenses.json file which can be downloaded from the Detailed Report. I’ve attached a screencast below as to how to get this JSON file.

In this case the proper command line arguments would be:

java -jar healthcheck-transformer-all-1.0-SNAPSHOT.jar -l {licenses.json file} -o {output.json file}

Once you have output json file, you will need to submit the file to the Sonatype Report Service to generate the Application Stack Analysis report. To save/send the collected inventory in two steps to generate a report:

java -jar bom-client-1.12.jar --sendPayloadFile output.json --reportingUsername portal_user --reportFileName ./

You will be prompted for your reportingPassword which is your portal login password.


Version 1.12 released March 5, 2019

You will need your SE or CSE to access the jar file until LDAP access is added

Sonatype Categorization Client


A complete list of the taxonomy is here: Category Taxonomy.pdf (57.5 KB)


Please answer the poll questions or leave a comment on the thread. All comments are visible to customers and Sonatype.

  • Was the category taxonomy meaningful
  • Would you like to see project categories
  • Would you like to see component categories
  • Was the summary view with risk rollup for the category useful

0 voters

1 Like

I downloaded this and tested it against my demo instance. When I drill down into a category, I get a list of components that are under various categories

The first level of drill down is a bit confusing. What you are seeing is a combined view of Component and Project categories. We realized we needed separate Component and Project views but did not have the time to create the two different views.

  • Sort by category on this page. The items that have the same category as you select are the PROJECTS in that category. The other items in the list are COMPONENTS in that category.

  • PROJECT - log4j is a logging project

  • COMPONENT - com.codahale.metrics:metrics-logback is a logging component in an analytics project

  • Project Health and Maturity - Are hardcoded values and have no real meaning other than a talking point for making a decision based on poor health or maturity.

Thank you for the explanation that makes sense!

1 Like