Sonatype and Bamboo: Improving Your Builds

March 03, 2015 By Derek Weeks

3 minute read time

Sonatype now provides native Atlassian Bamboo support to improve the quality of your build outputs. Sonatype provides instant analysis of open source components used in every Bamboo build and alerts development teams to any quality, license, or security issues identified. By catching the issues during CI builds, development teams can quickly address open source policy violations early and can avoid unplanned rework.

bamboo.png

Improve the Quality of Build Outputs

After policies have been established in Sonatype CLM to watch for quality, license or security issues associated with open source components used during the builds, build managers now have continuous visibility to any components that may impact the integrity or quality of a build early in the development lifecycle.

If you are not familiar with CLM policy management, alerts, and reporting, here are some examples of what you might use continuous monitoring for:

  • Versions: Detect specific version numbers of open source components in use, helping to reduce the variability of versions in use across production applications.
  • License: Detect any artifact or dependency that uses GPL or AGPL licenses.
  • Security: Detect any artifact with a known security vulnerability with a CVSS threat level between 7 and 10.
  • Age/Viability: Detect any open source components that are five or more years old that may reflect use of less functional components, or those without regular updates from the open source project.

Details of Policy Violations

Sonatype CLM is the only solution that delivers continuous visibility to build quality and integrity through Jenkins, Hudson and Bamboo. If any issues are discovered, build managers, security professionals, and development managers have instant access to details on the artifact in question, including policy / compliance information, popularity and age of the component and its release history. For example, if a security vulnerability is known to exist in a given artifact, details to its CVE are immediately available for analysis from CLM.

details.png

Monitoring Outputs from Multiple Builds

Build managers will likely use the Bamboo dashboard in order to monitor the status of multiple builds from a central location. When other functional areas of the business (e.g., Application Security, Legal, Open Source Review Boards) want to keep track of multiple builds, they turn to the CLM Dashboard. These users are provided real-time visibility to policy /compliance issues in CLM dashboard.

dashboard.png

If you are using Bamboo, Jenkins, or Hudson for continuous integration, and want to further improve your visibility to the quality and integrity of your builds, feel free to reach out to us for more details. You can watch a video demonstration (7 min) of the integration here.

Sonatype’s integration with CI platforms is just one of the ways that we are helping development teams to improve the speed, quality and integrity of their continuous development efforts.

Mark Your Calendar

If you want to learn how Sonatype’s own development team uses CLM integrated with Bamboo, join us on March 25th, as Mike Hansen -- our SVP Development -- and his team give a tour of our development tool chain and share insight into their agile practices. Register today!

Tags: Software Supply Chain, open source governance, open source components, Agile, open source security, Nexus Repository, Continuous Advantage, continuous integration, Open Source, Bamboo, Application Security, Devops, build managers

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.