I am new to the SonarQube.
I am using SonarQube to security scan my Java source code. I am also using Trivy to security scan my Docker container where I pack my Java app for deployment.
I deploy my code on JBoss and Tomcat web servers.
So, I have SonarQube to security scan my source code and Trivy to security scan my Docker image, but now I need something to security scan my code's dependencies (JARs).
Can SonarQube scan dependency Apache libraries and report which dependencies contain security flows and needs to be replaced with newer versions? If yes, how?
I think the dependency-check project is what you're after; there are Grade and Maven plugins to make using it easier and it can be integrated with SonaqQube.
You can use this Trivy plugin to convert Trivy results into SonarQube format and import it as external issues report to SonarQube: https://github.com/umax/trivy-plugin-sonarqube
Related
I'm getting security vulnerabilities for spring web jars in Sonartype scanning, leading Bamboo builds failure.
My question is how to disable the Sonar from scanning these jars? Something like, configure in Gradle, Maven or Bamboo?
We already use 2.2.* version SpringBoot, so upgrade is not considered.
Thanks in advance.
Is it a good idea or practice to start a Spring Boot application at production with a following command of Spring Boot Maven plugin ?
mvn spring-boot:run
No, this is a bad idea.
You would re-build your project on every run which means that you would pull all needed dependencies on each new VM / container.
Also using the spring-boot-maven-plugin in conjunction with the dev-tools for example would lead to options that you don't want in production.
This ranges from using other database settings to disabled caching mechanisms for your templating engine.
Use the executable jar instead.
If you want to run the application with the Maven JVM this is fine.
It is just an alternative way to run your application instead of using the executable jar.
As an alternative you could also start your application with gradle
gradle bootRun
Which is best depends on your circumstance. For live production code I would use a versioned executable jar always.
We have a specific requirement that only Enterprise Archive (EAR) should be deployed on our application server (Web Logic).
Can spring-boot be used for such type of Enterprise applications?
As spring-boot provide an inbuilt Jetty/Tomcat server, can I use the jar/war to be deployed on Web Logic application server?
Also we have some external dependencies (not from maven central)
which have to be included in the pom. Does that impact spring-boot
configurations?
Of course it can - as Spring itself. You can read about it here http://www.virtual7.de/blog/2016/07/spring-boot-oracle-weblogic-server-12/
Yes, here is the instruction how to do it: http://docs.spring.io/spring-boot/docs/current/reference/html/howto-traditional-deployment.html
It depends what are those dependencies. There could be some conflicts, but any conflict can be resolved somehow :)
Since spring-boot comes with embedded tomcat containers, I was wondering how is the patching being done. If I decide to go for using embedded approach and a security vulnerability has been found out and the tomcat community has released a patch, how do I apply that patch to the embedded tomcat container which comes with the Spring-boot.
Any help would be greatly appreciated since it will help to decide to go the traditional route of standalone tomcats v's embedded.
According to this Spring blog post, you can specify any version of Tomcat you want. As long as it's released to the Maven repo, just add the following property to your Maven build properties specifying whatever version you like: <tomcat.version>8.0.3</tomcat.version>.
See http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core for versions currently available in Maven Central.
I have a non maven project. I would like to test my jersey rest services using the Jersey Test Framework. The jersey docs only relate to maven for the jersey test framework. Is it possible to add a jar or library to the project to use this framework?
Using Jersey client instead of Jersey Test Framework have two advantages:
It's well documented and only needs the jersey-client JAR
The written code is standard and can be use by the Java clients of your services
I would suggest you to add Maven to your project for some reasons
ability to use and helpful dependencies
having mechanism to create a build of you application with one command like mvn clean package
If you use Ant scripts you can easily call old Ant scripts from Maven with Apache Maven AntRun Plugin without significant Ant scripts rebuilding.