A vulnerability scan highlighted the presence of Maven JARs in the Docker image for our Quarkus app which surprised me. These are being picked up from quarkus-app/lib/main. Running mvn quarkus:dependency-tree shows the route by which they're getting included:
[INFO] --- quarkus-maven-plugin:2.2.3.Final:dependency-tree (default-cli) # my-app ---
[INFO] Quarkus application PROD mode build dependency tree:
[INFO] my-group:my-app:pom:1.x-SNAPSHOT
...
[INFO] ├─ io.quarkus:quarkus-undertow-deployment:jar:2.2.3.Final (compile)
...
[INFO] │ ├─ io.quarkus:quarkus-core-deployment:jar:2.2.3.Final (compile)
...
[INFO] │ │ ├─ io.quarkus:quarkus-bootstrap-core:jar:2.2.3.Final (compile)
...
[INFO] │ │ │ ├─ io.quarkus:quarkus-bootstrap-maven-resolver:jar:2.2.3.Final (compile)
[INFO] │ │ │ │ ├─ org.apache.maven:maven-embedder:jar:3.8.1 (compile)
Again, I was surprised to see that it was pulling in deployment JARs as, based on my limited understanding, I would have not expected these to be needed at runtime for a non-mutable production app.
EDIT: The POM just references the extension and then there is a parent POM that references the Quarkus BOM.
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-undertow</artifactId>
</dependency>
If the deployment JARs are needed, why, and, if not, is there a way to exclude them?
As #Ladicek suggested, the cause of this issue was that one of dependencies was referencing the deployment artifact directly (just not the one I posted in the question!). This was then causing the deployment JARs for all of the extensions to be packaged in quarkus-app/lib/main.
Correcting quarkus-logging-json-deployment to quarkus-logging-json fixed the problem.
Related
First of all, I'm entirely new to Maven.
I've imported a big complex maven project to IntelliJ. It contains multiple pom.xml, and it also depends on another local project (that I've already imported and works well).
The import process went well; on IntelliJ, nothing is red underlined. It seems to find every dependency (whether local or not). However when I try to build the .jar of one of the project via the Maven menu:
I get this output:
/Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/bin/java -Dmaven.multiModuleProjectDirectory=/Users/bastiannanchen/Programmation/Backend/backend/Reconfigure "-Dmaven.home=/Applications/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3" "-Dclassworlds.conf=/Applications/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/bin/m2.conf" "-javaagent:/Applications/IntelliJ IDEA.app/Contents/lib/idea_rt.jar=62186:/Applications/IntelliJ IDEA.app/Contents/bin" -Dfile.encoding=UTF-8 -classpath "/Applications/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/boot/plexus-classworlds-2.5.2.jar" org.codehaus.classworlds.Launcher -Didea.version=2018.3.4 compile
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Reconfigure 3.3.0
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for <local_project> is missing, no dependency information available
[...]
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.276 s
[INFO] Finished at: 2019-02-12T11:08:44+01:00
[INFO] Final Memory: 10M/309M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project Reconfigure: Could not resolve dependencies for project <project_name> The following artifacts could not be resolved: <local_project> [...]
[...]
Do you know how to resolve this problem? I suppose I'm not proceeding correctly with the building process, but I am having a hard time to find an answer on the internet.
Thanks!
UPDATE
The structure of the project in summary:
├── backend
│ ├── project_1
│ ├── project_2
│ ├── project_3
│ └── project_4
└── utils
├── project_utils_1
├── project_utils_2
└── project_utils_3
I'm trying to build, e.g., the project_2 that has dependencies with all the projects in backend and some projects in utils.
I finally find a way to build the .jar file. Before building the package, I needed to use the Maven install plugin for the dependencies. FYI The Install Plugin is used during the install phase to add artifact(s) to the local repository.
Thank you to everybody that tried to help me :)
I have 2 Jenkins shared libraries which contain groovy files to be scanned. Both projects are using the same sonarqube call using maven but in one project the groovy files are scanned, whereas in the other they are not
Sonarqube call
...
String scanCmd = "mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.4.0.905:sonar " +
"-f pom.xml " +
"-Dsonar.branch=%GIT_BRANCH% " +
"-Dsonar.test.inclusions=**/*Test*/** " +
"-Dsonar.exclusions=**/*Test*/** " +
"-Dsonar.skipDesign=true "
bat scanCmd
...
We are using version 5.6.6, if that matters
Sonar scanner config
The sonar configuration is in the parent pom which contains the sonar properties
....
<properties>
<!-- Sonar -->
<sonar.sources>src,vars</sonar.sources>
<sonar.inclusions>**/**</sonar.inclusions>
</properties>
....
Both projects (pom.xml) use the this parent pom i.e. the same sonar properties
Project 1: 0 files indexed
The project structure looks like this:
D:.
│ .gitignore
│ Jenkinsfile
│ pom.xml
│ README.md
│
├───src
│ └───ch
│ └───swisscard
│ └───jenkins
│ └───pipeline
│ └───util
│ PipelineRabbitMQ.groovy
│
└───vars
ciPipeline.groovy
So there are two groovy files which should be scanned but the logfile shows 0 files indexed:
[INFO] Base dir: D:\jenkins\tools\ci-home\workspace\rabbitmq-ci-pipeline_master-2CYM2JXOI6CJM2T4MSNQTNPWY7LRY7PTSC3OG74TSX2Q2WNKXUSQ
[INFO] Working dir: d:\jenkins\tools\ci-home\workspace\rabbitmq-ci-pipeline_master-2CYM2JXOI6CJM2T4MSNQTNPWY7LRY7PTSC3OG74TSX2Q2WNKXUSQ\target\sonar
[INFO] Source paths: src, vars
[INFO] Binary dirs: target/classes
[INFO] Source encoding: UTF-8, default locale: en_US_US
[INFO] Index files
[INFO] Included sources:
[INFO] **/**
[INFO] Excluded sources:
[INFO] **/target/**/*
[INFO] **/*Test*/**
[INFO] **/*Test*/**
[INFO] Included tests:
[INFO] **/*Test*/**
[INFO] 0 files indexed
[INFO] 0 files ignored because of inclusion/exclusion patterns
Project 2: Files properly scanned
The second project structure looks like this:
D:.
│ .gitignore
│ Jenkinsfile
│ pom.xml
├───src
│ └───main
│ │ Utils.groovy
└───vars
checkQualityGate.groovy
defaultBuildApplication.groovy
ciPipeline.groovy
And here the log file indicates that all files were scanned:
[INFO] Load server rules (done) | time=98ms
[INFO] Base dir: D:\jenkins\tools\ci-home\workspace\pipeline_feature_sonar-scan-D6GRAK5PLQOMGCOOH2T6QP6BP4LA6O3LP23UC7VBSSL3RORI4ZXQ
[INFO] Working dir: d:\jenkins\tools\ci-home\workspace\pipeline_feature_sonar-scan-D6GRAK5PLQOMGCOOH2T6QP6BP4LA6O3LP23UC7VBSSL3RORI4ZXQ\target\sonar
[INFO] Source paths: src, vars
[INFO] Source encoding: UTF-8, default locale: en_US_US
[INFO] Index files
[INFO] Included sources:
[INFO] **/**
[INFO] Excluded sources:
[INFO] **/target/**/*
[INFO] **/*Test*/**
[INFO] **/*Test*/**
[INFO] Included tests:
[INFO] **/*Test*/**
[INFO] 5 files indexed
[INFO] 0 files ignored because of inclusion/exclusion patterns
Problem/Question
So apparently both projects have the same configuration and similar structure, however one is scanned and another not. At the moment I don't understand why?
I have checked other topics which did not help me
I do not have the sonar.basedir explicily set, but according to the log the base dir is fine
I had similar issue for my project. I added sonar.scm.exclusions.disabled=true in the sonar properties and the files were indexed and scanned fine.
we're using jenkins and i'm wondering if it's possible to build all my modules using maven in 1 Job, our project structure is like this:
Web
├── Server
│ ├── moduleA
│ │ └── pom.xml <--- Module A POM
│ ├── moduleB
│ │ └── pom.xml <--- Module B POM
│ └── moduleC
│ └── pom.xml <--- Module C POM
│
|── Client
├── Pom.xml
The way we're working now is that we have a jenkins job for every module in Server and 1 jenkins job for client Side , is it possible to create only one job and build All the Client and Server modules ?
you can create a parent pom that will contain all modules , than Jenkins will build this parent pom.
another option is to trigger several MVN commands ( but the first option is much better)
I have Maven 3.x.x and defined MAVEN VERSIONS Plugin in ~/.m2/settings.xml (global user level file) where I have valid .. and plugin configuration set for maven-versions-plugin and maven-enforcer-plugin etc.
(Maven inheritance and aggregation is used among these subprojects referring parent project)
Project structure :
pom.xml
module1/pom.xml
module1/src/main/resources/module1/pom.xml
module1/src/main/resources/module1/src/somemorefileshere
module2.pom.xml
module3/pom.xml
module3/src/main/resources/module3/pom.xml
module3/src/main/resources/module3/src/somemorefileshere
When I run the following command in this multi-module project setup:
$ mvn versions:set -DnewVersion=0.0.1
It successfully changes all occurrences of 0.0.1-SNAPSHOT in parent (project root level pom.xml) and sub-project/modulesX level pom.xml files BUT it didn't make the changes in the following files:
module1/src/main/resources/module1/pom.xml
module3/src/main/resources/module3/pom.xml
Questions:
1) Is it because these files sit under "src/main/resources" folder??
2) If the plugin info is configured in ~/.m2/settings.xml then do I still need to update the same in pom.xml (I don't think so).
3) Do I have to specify ... section where we specify "url", "connection", "developerConnection" values in root level project pom.xml OR it has to be placed in every sub-project/moduleX pom.xml? I think, root level pom.xml should suffice.
4) Even though each sub-project/moduleX pom.xml is successfully changing from 0.0.1-SNAPSHOT to 0.0.1 (as the version I'm setting), I get the following output once versions:set is complete. Why it's showing "SKIPPED" for those modulesX when it actually replaced the values successfully. Does this means, I have to have ... section in those sub-project/moduleX's pom.xml file as well??
19:54:40 [INFO] ------------------------------------------------------------------------
19:54:40 [INFO] Reactor Summary:
19:54:40 [INFO]
19:54:40 [INFO] main-parent ........................................ SUCCESS [ 3.082 s]
19:54:40 [INFO] module1 ................................... SKIPPED
19:54:40 [INFO] module2 .......................................... SKIPPED
19:54:40 [INFO] module3 .......................................... SKIPPED
5) Do I need to include "maven-enforcer-plugin" configuration in every root level / sub-project level (moduleX) level pom.xml?? --OR ~/.m2/setting.xml level pom should suffice?
because those looks like archetype pom.xml files (Template files) it doesn't process them, it just touches those are connected in maven POMdel
I followed the instructions to the letter in this blog post by Sonatype on writing a Maven plugin in Ruby.
When I try running mvn install (Maven 3.0.4), the build is successful, but maven-plugin-plugin cannot find any mojo descriptors:
[INFO] ------------------------------------------------------------------------
[INFO] Building Example Ruby Mojo - firstruby-maven-plugin 1.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for org.jruby:jruby:jar:0.9.9 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[INFO]
[INFO] --- maven-plugin-plugin:2.4:descriptor (default-descriptor) # firstruby-maven-plugin ---
[INFO] Using 3 extractors.
[INFO] Applying extractor for language: java
[INFO] Extractor for language: java found 0 mojo descriptors.
[INFO] Applying extractor for language: jruby
[INFO] Extractor for language: jruby found 0 mojo descriptors.
[INFO] Applying extractor for language: bsh
[INFO] Extractor for language: bsh found 0 mojo descriptors.
If I try bumping maven-plugin-plugin version to anything higher than 2.4, the build fails with this error message:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-plugin-plugin:2.5:descriptor (default-descriptor) on project firstruby-maven-plugin: The API of the mojo scanner is not compatible with this plugin version. Please check the plugin dependencies configured in the POM and ensure the versions match. org.apache.maven.tools.plugin.scanner.MojoScanner.populatePluginDescriptor(Lorg/apache/maven/tools/plugin/PluginToolsRequest;)V -> [Help 1]
Here's the output of tree to show that the directory structure is OK:
firstruby-maven-plugin
├── pom.xml
└── src
└── main
└── scripts
└── echo.rb
3 directories, 2 files
Any idea why it's not working?
The Codehaus jruby-maven-plugin seems to have been abandoned 5 years ago. If you're using Maven3, you can try using Maven2 but I'd look at https://github.com/torquebox/jruby-maven-plugins