I am trying to get the Maven plugin working to get the dependency-check report. My end goal is to come up with a security-report of the security vulnerabilities on my project.
The Maven snippet which I am using is -
<build>
<pluginManagement>
<plugins>
..
..
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.4.0</version>
<configuration>
<dataDirectory>/somepath/data</dataDirectory>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
</build>
For my build I am using '
mvn -B -U clean install site:site
However, I don't see the dependency-checks being triggered.
I also tried
mvn -B -U org.owasp:dependency-check-maven:1.4.0:check -Dformat=XML
No luck either. I get an error -
[ERROR] BUILD ERROR [INFO]
------------------------------------------------------------------------ [INFO] Internal error in the plugin manager executing goal
'org.owasp:dependency-check-maven:1.4.0:check': Unable to find the
mojo 'check' (or one of its required components) in the plugin
'org.owasp:dependency-check-maven' Can not set
org.sonatype.plexus.components.cipher.PlexusCipher field
org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher._cipher
to org.sonatype.plexus.components.cipher.DefaultPlexusCipher
Where am I going wrong? Thanks and apologies if the question is way too basic!
Thanks 'A_Di-Matteo' for your help.
Furthermore, I noticed I was using Maven 2 for this build (don't ask me why was it even an option). When I used Maven 3, this problem disappeared.
Related
I'm running mvn dependency:analyze-only & im getting the error below. Can someone point me to the correct config for running the maven dependency analyzer?.
FYI, my project builds fine with maven, so im not sure what its looking for. I also listed my pom.xml for the plugin.
this is the error im getting
[INFO]
[INFO] --- maven-dependency-plugin:2.10:analyze-only (default-cli) # MFC ---
[INFO] Skipping project with no build directory
...
This is my pom.xml for the dependency plugin
...
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.10</version>
<executions>
<execution>
<id>analyze</id>
<goals>
<goal>analyze</goal>
</goals>
<configuration>
<failOnWarning>true</failOnWarning>
<outputDirectory>c:\TEMP\</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
Note that the dependency:analyze-only goal is used in preference to dependency:analyze since it doesn't force a further compilation of the project, but uses the compiled classes produced from the earlier test-compile phase in the lifecycle.
The project's dependencies will then be automatically analyzed during the verify lifecycle phase
If you have not compiled or run your tests before, you will get that message.
Then you must execute as follows
>mvn verify dependency:analyze-only
or simply
> mvn verify
UPDATE
Your pluging goal must be <goal>analyze-only</goal> not <goal>analyze</goal> plugin then must be
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.10</version>
<executions>
<execution>
<id>analyze</id>
<goals>
<goal>analyze-only</goal>
</goals>
<configuration>
<failOnWarning>true</failOnWarning>
<outputDirectory>c:\TEMP\</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>
do the change and execute mvn verify dependency:analyze-only or verify and it should works.
When I run $mvn -q clean install, I see a bunch of [debug] execute contextualize statements printed to the console.
After doing some searching, I determined that this is a problem with version 2.5 of the Maven Resources Plugin. This problem has been fixed in version 2.6, but I cant figure out how to get my project to use it. (http://jira.codehaus.org/browse/MRESOURCES-140)
None of my projects have this plugin listed in their poms, so I am not sure where Maven is getting it from, maybe it is used in one of the other Apache dependencies or something? (I don't really even understand what this plugin does or how plugins in Maven are used in general)
I tried adding the following to my root pom:
<build>
<plugins>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>2.6</version>
</plugin>
</plugins>
</build>
However, this doesn't seem to solve the problem. I still see the [debug] execute contextualize output and when I run $mvn help:effective-pom, the output still shows:
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>2.5</version>
<executions>
<execution>
<id>default-resources</id>
<phase>process-resources</phase>
<goals>
<goal>resources</goal>
</goals>
</execution>
<execution>
<id>default-testResources</id>
<phase>process-test-resources</phase>
<goals>
<goal>testResources</goal>
</goals>
</execution>
</executions>
</plugin>
How can I force Maven to use the newer version of this plugin so that I can suppress the annoying [debug] execute contextualize outputs?
Try do add the groupId of the plugin in your build settings :
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.6</version>
</plugin>
</plugins>
</build>
The maven-resources-plugin is bound to the lifecycle by default for jars, wars, & ears. Adding a definition to your corporate root POM as you did should work to update the version used. Things to check:
Is the inheriting project specifying the version of the corporate parent POM that includes the change?
Did you run mvn clean install on the root POM prior to running the project build?
If the answer is "yes" and "yes", try cleaning out your local artifact repo, then run mvn clean install for the root, and try the build again.
I'm working on a maven project and want to generate the most basic of javadocs.
This is the plugin I add to my pom.xml
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.8.1</version>
<executions>
<execution>
<id>attach-javadocs</id>
<phase>package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
I then run the goal mvn clean package and after successfully cleaning and packaging my project it says
[INFO] --- maven-javadoc-plugin:2.8.1:jar (attach-javadocs) # project-name ---
[INFO] Skipping javadoc generation.
I've tried adding the property:
<properties>
<maven.javadoc.skip>false</maven.javadoc.skip>
</properties>
And have also tried this in cmd prompt:
mvn clean package -Dmaven.javadoc.skip=false
No different...
Anything I am blatantly missing?
You must use
-Dmaven.javadoc.skip=true <-- to skip javadoc
-Dmaven.javadoc.skip=false <<-- do not skip
see the effective pom of your project either on the command line by typing mvn help:effective-pom or through eclipse effective-pom view of your pom. That will give you the true configuration.
If the flag is set to true, then:
are you adding the configuration in an inactive profile? check mvn help:active-profiles
do you have pom inheritance and inheriting the configuration from the parents? check parent poms
I don't think that changing the version will help you much as the "skip" parameter was available from version 2.5
Complete Maven newb here, so forgive any abused terminology, etc.
I've built a custom plugin in Maven 3 (one that defines goals for git rebase). I'm able to:
mvn install
No problem. I can then invoke the goal from the command line:
mvn edu.clemson.cs.rsrg:git-plugin:rebase
Everything's golden. I have this lovely git-plugin-XXX.jar file sitting in my target directory.
I'd like to make my custom goals available to another project such that when other members of the dev team pull down that project's source, they get my plugin for free (or at least, after a mvn build).
My understanding is that the purist solution is to set up a maven repo for the group and load my plugin there, but that seems overkill for a single hacky plugin.
Thoughts?
I've played with doing it via three different plugins so far:
addjars-maven-plugin:add-jars
<plugin>
<groupId>com.googlecode.addjars-maven-plugin</groupId>
<artifactId>addjars-maven-plugin</artifactId>
<version>1.0.4</version>
<executions>
<execution>
<goals>
<goal>add-jars</goal>
</goals>
<configuration>
<resources>
<resource>
<directory>${basedir}/plugins</directory>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
Gives me this error during mvn build:
[ERROR] Error resolving version for plugin 'edu.clemson.cs.rsrg:git-plugin' from the repositories [local (/home/hamptos/.m2/repository), central (http://repo.maven.apache.org/maven2)]: Plugin not found in any plugin repository
It also causes my later formatting plugin to fail. (Clearly it's read the jar and determined the group name/plugin name, but then it goes and looks for it in my local repo? Of course it's not there--I'm trying to install it.)
build-helper:attach-artifacts
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.7</version>
<executions>
<execution>
<id>attach-artifacts</id>
<phase>install</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${basedir}/plugins/git-plugin-0.1.0a.jar</file>
<type>jar</type>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>
Gives me this error during mvn build:
[ERROR] Failed to execute goal org.codehaus.mojo:build-helper-maven-plugin:1.7:attach-artifact (attach-artifacts) on project RESOLVE: Execution attach-artifacts of goal org.codehaus.mojo:build-helper-maven-plugin:1.7:attach-artifact failed: For artifact {edu.clemson.cs.rsrg:RESOLVE:12.09.01a:jar}: An attached artifact must have a different ID than its corresponding main artifact.
(RESOLVE:12.09.01a being the main project. Clearly something's gone awry here because the plugin and main project definitely have different artifactIDs. Trying to attach the project on top of itself maybe?)
maven-install-plugin:install-file
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-install-plugin</artifactId>
<version>2.3.1</version>
<executions>
<execution>
<id>install-git-plugin</id>
<phase>initialize</phase>
<goals>
<goal>install-file</goal>
</goals>
<configuration>
<file>${basedir}/plugins/git-plugin-0.1.0a.jar</file>
<packaging>jar</packaging>
<groupId>edu.clemson.cs.rsrg</groupId>
<artifactId>git-plugin</artifactId>
<version>0.1.0a</version>
</configuration>
</execution>
</executions>
</plugin>
Seems to work fine until I try to invoke one of the goals like mvn edu.clemson.cs.rsrg:git-plugin:rebase, at which point it gives me this error:
[ERROR] Failed to execute goal edu.clemson.cs.rsrg:git-plugin:0.1.0a:rebase (default-cli) on project RESOLVE: Execution default-cli of goal edu.clemson.cs.rsrg:git-plugin:0.1.0a:rebase failed: Unable to load the mojo 'rebase' (or one of its required components) from the plugin 'edu.clemson.cs.rsrg:git-plugin:0.1.0a': com.google.inject.ProvisionException: Guice provision errors:
[ERROR]
[ERROR] 1) Error in ComponentFactory:ant-mojo
[ERROR] at ClassRealm[plugin>edu.clemson.cs.rsrg:git-plugin:0.1.0a, parent: sun.misc.Launcher$AppClassLoader#e776f7]
[ERROR] while locating org.apache.maven.plugin.Mojo annotated with #com.google.inject.name.Named(value=edu.clemson.cs.rsrg:git-plugin:0.1.0a:rebase)
You may think it is hacky, but it is the maven way. It needs to be deployed to a maven repo.
If you keep it in a groupId that you can demonstrably own and it's open source you can publish it to central
I am new to maven, and cannot figure it out.
I have this configuration for the plugin in my pom.xml file, but it looks like mvn does not use my configuration.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-install-plugin</artifactId>
<version>2.3.1</version>
<executions>
<execution>
<phase>install</phase>
<goals>
<goal>install-file</goal>
</goals>
<configuration>
<packaging>jar</packaging>
<artifactId>${project.artifactId}</artifactId>
<groupId>${project.groupId}</groupId>
<version>${project.version}</version>
<file>
${project.build.directory}/${project.artifactId}-${project.version}.jar
</file>
</configuration>
</execution>
</executions>
</plugin>
I am getting the same error when I comment out this plugin. There are old discussions on the blogs that maven was ignoring configurations inside the execution. Is it still an issue ? How can I make maven to read my plugin declarations instead of something else? What does it run when my dependency is commented out?
Error
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-install- plugin:2.3.1:install-file (default-cli) on project core: The parameters 'file' for goal org.apache.maven.plugins:maven-install-plugin:2.3.1:install-file are missing or invalid -> [Help 1]
From the error message and the information above, one possibility is that you are running mvn install:install-file on your project. Run mvn install instead.