Old version of checkstyle detected. Consider updating to >= v8.30 - maven

Small question regarding a SonarQube + Checkstyle warning please.
Currently, in my app, in my pom, I use the following Checkstyle plugin:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.1.2</version>
<configuration>
<outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile>
<outputDirectory>target/reports/checkstyle</outputDirectory>
<outputFileFormat>xml</outputFileFormat>
</configuration>
</plugin>
This plugin is doing its job, no worries there.
When I run SonarQube though, I get this warning
Old version of checkstyle detected. Consider updating to >= v8.30
For more information see: https://maven.apache.org/plugins/maven-checkstyle-plugin/examples/upgrading-checkstyle.html
I obviously went to read the website, but I am still having hard time understanding.
The Checkstyle plugin I have is the latest known, version 3.1.2, checked on Maven central etc.
In SonarQube, I am running on the latest version, 8.9 LTS, with the latest version of Checkstyle plugin as well.
What am I missing please? Am I using some kind of wrong plugin?

It is a SonarQube plugin named sonar-checkstyle which needs to be installed or upgraded at the SonarQube server instance. The current version is 8.40.
Note: Refer to
https://docs.sonarqube.org/latest/setup/install-plugin/
https://docs.sonarqube.org/latest/instance-administration/plugin-version-matrix/
https://github.com/checkstyle/sonar-checkstyle
https://github.com/checkstyle/sonar-checkstyle/releases
Edit 1
Step 1
Firstly, there is a cache directory at <user_home>/.sonar/cache (for me on the Windows 10 is C:\Users\<myuser>\.sonar\cache), please delete all sub directories under this cache directory with purpose to let the org.sonarsource.scanner.maven:sonar-maven-plugin latest version download it from our SonarQube server instance and ensure that all related plugins are new and fresh after upgrading/installing at the SonarQube server instance. (Do not forget to restart it after finishing upgrading/installing to ensure all new are re-loaded)
Step 2
Secondly, make sure that we do not specify the org.sonarsource.scanner.maven:sonar-maven-plugin in our project pom.xml neither at the parent nor anywhere else with purpose to ensure that during executing, it will be a latest version which matches to our SonarQube server instance version.
Anyhow the formal document (https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/) also mentions about How to Fix Version of Maven Plugin as the following: -
How to Fix Version of Maven Plugin
It is recommended to lock down versions of Maven plugins:
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>
<!--Version that matched with our Sonar server instance version -->
</version>
</plugin>
</plugins>
</pluginManagement>
</build>
The latest version is able to be browsed at https://search.maven.org/artifact/org.codehaus.mojo/sonar-maven-plugin or https://search.maven.org/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin The latest is version 3.9.0.2155 (Note: the version ?.y.z is matched with our Sonar server instance version)
Step 3
Last but not least, if our project is a multi-module projects there is a mentioned at the formal document (https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/) as the following: -
In some situations you may want to run the sonar:sonar goal as a
dedicated step. Be sure to use install as first step for multi-module
projects
mvn clean install
mvn sonar:sonar ...
Then there will be 2 steps here, mvn clean install first so that it is completed and then mvn sonar:sonar ... later on.
Edit 2
The maven-checkstyle-plugin is also able to specify the checkstyle version as mentioned at https://maven.apache.org/plugins/maven-checkstyle-plugin/examples/upgrading-checkstyle.html with the significant sentence as
Maven Checkstyle plugin comes with a default Checkstyle version: for
maven-checkstyle-plugin 3.1.2, Checkstyle 8.29 is used by default.
Then the configuration for the maven-checkstyle-plugin will be like the following: -
<project>
...
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.1.2</version>
<dependencies>
<dependency>
<groupId>com.puppycrawl.tools</groupId>
<artifactId>checkstyle</artifactId>
<version>...choose your version...</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</pluginManagement>
<build>
...
</project>
The latest version is able to be browsed at https://search.maven.org/artifact/com.puppycrawl.tools/checkstyle The latest is version 8.42.

Related

What happens if you do not specify the version of the maven plugin?

What will happen if spring boot 2 in pom.xml does not indicate the version of the plugin. Will it automatically use the latest version? For example maven-surefire-plugin.
<build>
<!--Закомментировать если сборка с Java-->
<sourceDirectory>${project.basedir}/src/main/kotlin</sourceDirectory>
<testSourceDirectory>${project.basedir}/src/test/kotlin</testSourceDirectory>
<!---->
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
</plugin>
From maven 3.x documentation
When a plugin was invoked without an explicit version given in the POM
or on the command line, Maven 2.x used to pick the latest version
available where the latest version could either be a release or a
snapshot. For the sake of stability, Maven 3.x prefers the latest
release version over the latest snapshot version.
Given the threat of non-reproducible builds imposed by automatic
plugin version resolution, this feature is scheduled for removal as
far as plugin declarations in the POM are concerned. Users of Maven
3.x will find it output a warning when missing plugin versions are detected to encourage the addition of plugin versions to the POM or
one of its parent POMs. The Enforcer rule requirePluginVersions can be
used additionally check for missing plugin versions in the POM.
It really depends what your parent is. Spring Boot's parent has pluginManagement for a number of plugins (including surefire) so it will use that version. This is a fixed version and it depends on the Spring Boot version you're using.
There is no guarantee that it will be the latest, even if you use the latest Spring Boot version as we try to be consistent with our upgrade policy. You can figure this out yourself via mvn help:effective-pom.

Maven versions plugin update to next snapshot

I'm trying to use the maven versions plugin to update my pom to the next snapshot version. eg. 0.0.1 should change to 0.0.2-SNAPSHOT.
From my reading of http://www.mojohaus.org/versions-maven-plugin/set-mojo.html I would expect mvn versions:set -DnextSnapshot=true to do this, but in reality it just prompts me for a new version with a default of the current version (0.0.1). Am I missing something here? I want to do this update as a part of a script so don't want any manual intervention.
I'm using v2.5 of the versions plugins. That link above says that nextSnapshot is available from 2.10 but 2.5 seems to be the latest I can find.
I also faced this issue. I got to know that my Maven project was picking up older version (2.3) of Versions Plugin. This no longer seems to be a problem in latest version (2.7) of the plugin.
I added following in pom.xml of my project to force my project use 2.7 version of Maven Versions plugin.
<pluginManagement>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.7</version>
</plugin>
</plugins>
</pluginManagement>
Otherwise, you can mention latest version of Versions plugin to choose in command line :- mvn org.codehaus.mojo:versions-maven-plugin:2.7:set -DnextSnapshot=true

Please update sonar-maven-plugin to at least version 2.3

I'm building a project in Jenkins with Sonar Integration.
Everything goes smoothly until the sonar analysis part. I get the following error:
[ERROR] Failed to execute goal
org.codehaus.mojo:sonar-maven-plugin:2.2:sonar (default-cli) on
project project-whatever: Can not execute SonarQube analysis:
Please update sonar-maven-plugin to at least version 2.3 -> [Help 1]
and then the build fails.
I must explain that I have no references to sonar in my project pom.xml. This has been done exclusively with Jenkins configuration.
I'm using the latest available versions both on Jenkins (1.599) and Sonar (5.0). All Jenkins plugins are updated.
Already looked for a way to update the sonar-maven-plugin version, but I can´t find it: either it doesn't exist or I'm not looking at the right places...
Does anyone have any ideia how to work around this?
I was able to fix this issue by going into Manage Jenkins -> Configure System -> Scroll to the SonarQube section -> Click advanced -> fill in "Version of sonar-maven-plugin" with the verison you would like to use.....I used 2.5.
If you can change the root pom.xml, then following should work as well:
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.1.1</version>
</plugin>
</plugins>
</pluginManagement>
</build>
More info in SonarQube docs

mvn clean tomcat:run command

When I run "mvn clean tomcat:run" (without specifying any tomcat version) command from command prompt for running my web application, it download tomcat 6.0.29 version dependency as shown below:
org/apache/tomcat/juli/6.0.29/juli-6.0.29.pom
org/apache/tomcat/annotations-api/6.0.29/annotations-api-6.0.29.pom
org/apache/tomcat/catalina-ha/6.0.29/catalina-ha-6.0.29.pom
org/apache/tomcat/coyote/6.0.29/coyote-6.0.29.pom
org/apache/tomcat/tribes/6.0.29/tribes-6.0.29.pom
org/apache/tomcat/jasper-el/6.0.29/jasper-el-6.0.29.pom
org/apache/tomcat/dbcp/6.0.29/dbcp-6.0.29.pom
pom.xml file of the application does not contain any tomcat version it require to run
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
<finalName>esa</finalName>
</build>
So my query is how does it decide to download particular this tomcat version dependency.
Probably the default settings of the tomcat plugin you run.
Try running mvn tomcat:help -Ddetails to see what version of the plugin you use, and how it can be configured.
I think it is an earlier version of the plugin, and you can now use explicit versions, such as
mvn org.apache.tomcat.maven:tomcat6-maven-plugin:2.0:run
mvn org.apache.tomcat.maven:tomcat7-maven-plugin:2.0:run
(or the shorter form)
Seems, you are running the tomcat-maven-plugin from codehaus, whihc has tomcat 6.0.29 built-in. (Seems there was no activity since 2010.)
You should try the tomcat7 plugin from apache.
Regards
Tibor
In command line for maven use --debug option to get explanation of build process. For our case output looks like:
...[DEBUG] Resolving plugin prefix tomcat from [org.apache.maven.plugins, org.codehaus.mojo]
...
[DEBUG] Resolved plugin version for org.codehaus.mojo:tomcat-maven-plugin to 1.1 from repository central (http://repo.maven.apache.org/maven2, releases)...
Actually to explain why we've got tomcat v1.1 without specifying anything about tomcat, remember that maven build process has been customized with build plugins. And each build plugins has own build plugins. So it is enough to examine effective pom file to get clear understanding that almost empty initial pom.xml has quite big effective pom.xml.
To overcome issue just use explicit version of the tomcat plugin.

Does maven-release-plugin also do what maven-compiler-plugin does?

In project pom.xml is it required to include both maven-release-plugin and maven-compiler-plugin? The reason I want the release plugin is because I want to release the project at the end of a sprint/release. I understand that the compiler plugin will compile the source code, however I am not sure if the release plugin will also compile the source code, apart from updating the pom and checking out/in to scm.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>2.2.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.3.2</version>
<configuration>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
Any help with this is much appreciated.
If unspecified, Maven will know what to do when it needs to compile the code. However, in order to be able to control things like source and target versions, you will need to have a declaration of the maven-compiler-plugin.
It is generally good practice, to explicitly define the plugins you are using, along with their configurations and above all their versions, so that you have a guarantee of what was working.
What the Maven Release Plugin does is described here.
Your question is about the bullet "Run the project tests against the modified POMs to confirm everything is in working order". There is not that much magic here. What happens is that the maven-release-plugin will start a new Maven session. It will execute "mvn verify" in the same folder where you ran "mvn release:prepare".
All the steps done by the maven-release-plugin could also be done by hand, but that's asking for mistakes.

Resources