Set Up the SourceClear Maven Plugin

SourceClear Software Composition Analysis

The SourceClear Maven plugin allows you to automate the scanning of your Maven repositories. The results of plugin scans can be optionally uploaded to the SourceClear platform to a specific organization or to your personal environment.

Procedure

  1. From the left sidebar, select the team for which you want to create the agent, and then select Agents > New Agent > Maven Plugin.
  2. Choose to set your API token as an environment variable in the environment where you build your Maven repository, or add the token directly to the configuration within your pom.xml file:
    • Environment Configuration:
      • Run the following command to set your API token to the SRCCLR_API_TOKEN environment variable:
      export SRCCLR_API_TOKEN=<apiToken>
      Note: If your shell supports it, you may want to prefix the command with a space to avoid leaving the token in your shell history.
      Type the following invocation on the command line in the root of your Maven project to run a scan:
      mvn clean compile com.srcclr:srcclr-maven-plugin:scan
    • pom.xml Configuration:
      • Edit your pom.xml file in the root directory and apply the following changes
                  <build>
          <plugins>
              <plugin>
                  <groupId>com.srcclr</groupId>
                  <artifactId>srcclr-maven-plugin</artifactId>
                  <version><!-- Insert latest release here --></version>
                  <configuration>
                      <!--- Add configuration details here-->
                      <apiToken>OptionallyEnterUserTokenHere</apiToken>
                 </configuration>
                 <executions>
                     <execution>
                         <id>srcclr-scan</id>
                         <phase>verify</phase>
                         <goals>
                             <goal>scan</goal>
                         </goals>
                     </execution>
                </executions>
              </plugin>
          </plugins>
      </build>
               

      After you save your changes to the pom.xml file, the SourceClear plugin automatically runs when you run any maven lifecycle phase later than verify, such as install or package.