NexusIQ Maven evaluate Skipping Designated sub-modules

I’d like to run a NexusIQ scan on each Java build regardless of whether the build is run on a developer’s machine or from a CI tool. This allows a developer to reproduce results generated from a CI tool on his local machine as well as detect/fix issues before committing to source control.

I attempted to use the NexusIQ Maven plugin to accomplish this. However, I have many multi-module projects where some of the sub-modules comprise entirely of test code which is not marked as such. I added the clm.skip=true property to these sub-modules and ran the Maven plugin from the project root. Unfortunately the results included vulnerabilities from the sub-modules marked for skip.

I need a means to run the evaluation goal of the Maven plugin and skip any sub-modules marked for skipping.

Hi Jeff.

clm.skip is used to skip the entire execution from whereever the plugin was invoked. It’s useful to temporarily skip the run.

There is a way exclude certain modules, see our documentation on Excluding Module Information Files in Continuous Integration Tools.

Let us know how that works for you.

Jamie,

Excluding module information works fine for CI builds. I also need to exclude modules for local development builds. I don’t see a way to do it.

Hey @jeff.wise and thanks @jwhitehouse. Unfortunately I don’t believe the Maven plugin supports excluding submodules from evaluation. A workaround may be to invoke the IQ CLI and only scan the target directories where application binaries reside. Or use the Maven dependency plugin to copy application binaries to a specified folder and use the CLI to scan those. Neither would be as performant of the Maven plugin.