Nexus IQ for Azure DevOps not finding nupkg files

chris.boley · July 29, 2020, 10:35pm

I have a .net core application for which I’m trying to add Sonatype scanning. I have the following task definition running on an ubuntu Azure DevOps build agent:

- task: NexusIqPipelineTask@1
              displayName: "Sonatype Lifecycle Scan"
              inputs:
                nexusIqService: 'myConnection'
                applicationId: 'myApplication'
                stage: 'Build'
                scanTargets: '/home/vsts/.nuget/packages/**/*.nupkg'

I’ve been able to validate that all the packages are, in fact, restored to /home/vsts/.nuget/packages prior to this task’s execution. The task result is:

Starting: Sonatype Lifecycle Scan
==============================================================
Task         : Nexus IQ for Azure DevOps
Description  : The Nexus IQ for Azure DevOps extension provides full component intelligence and the ability to run policy against your application.
Version      : 1.2.6
Author       : SonatypeIntegrations
Help         : 
==============================================================
adca41d5-4b6d-4547-a21e-7c8c20eebb82 exists true
===============================================================
User input: applicationId = myApplication
User input: stage = Build
User input: scanTargetPatterns = /home/vsts/.nuget/packages/**/*.nupkg
User input: ignoreSystemError = false
User input: javaSystemProperties = null
==============================================================
Nexus IQ Endpoint: url = https://MyUrl/
Nexus IQ Endpoint: user = ***
===============================================================
##[error]No files have been found to scan
Document with latest policy results has been updated
Finishing: Sonatype Lifecycle Scan

Please advise on the correct syntax for the task to pick up .nupkg files.

Thanks!

shieldsjared · August 7, 2020, 2:22pm

Hi @chris.boley!

I just started testing out the task as well and had the same issue.

It appears that the extension has some interesting logic within it… While I didn’t look at it’s source, I did some investigation and based on the verbose output, I believe the extension is

Scanning the entire {Build.SourcesDirectory} directory
Looking for your file w/in that list (instead of simply looking for that path blindly)

In my case, I put my build artifacts into the {Build.ArtifactStagingDirectory} directory, and had to change things in my pipeline to keep the build artifact w/in the {Build.SourcesDirectory} and then reference that path before it would pickup my package…

We should submit a bug for this as it’s very limiting and presumptuous that we can only point to files w/in the sources directory of the pipeline. Hopefully that work around will work for you in the meantime.

iliu · October 7, 2020, 1:27am

I have the same issue with the Nexus IQ plugin for azure devops, anyone has any clue about how we can specify a path for scanning?

mpuglin · October 7, 2020, 5:51pm

The Scan Targets use ant-style patterns, and they’re applied to the root of the project, so if you’re trying to scan all JAR files under a certain folders, you can use a pattern like: target/**/*.jar.

We are aware of desire to include Build.ArtifactStagingDirectory in scan path and have created a ticket to address.

jflinchbaugh · October 21, 2020, 9:00pm

Nexus IQ for Azure DevOps Extension 1.2.10 now additionally scans the Build.ArtifactStagingDirectory for the scanTargets. Give it a try and let us know if it fixes it for you. Nexus IQ for Azure DevOps - Visual Studio Marketplace