Integrating findsecbugs plugin with Gradle's findbugs plugin - gradle

I am planning to use findsecbugs plugin to scan java code for vulnerabilities using findbugs plugin. I am looking for configuration parameters to include in my build.gradle file. Something like this.
P.S.: I am able to use FindBugs plugin with Gradle.

I tried and found the working configuration. Posting the working configuration below:
apply plugin: 'java'
apply plugin: 'findbugs'
apply plugin: 'maven'
apply plugin: 'signing'
sourceCompatibility = 1.7
dependencies {
findbugs 'com.google.code.findbugs:findbugs:3.0.0'
findbugs configurations.findbugsPlugins.dependencies
// Here we specify the findbugsPlugins
findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.2.0'
}
task findbugs(type: FindBugs) {
classes = fileTree(project.rootDir.absolutePath).include("**/*.class");
source = fileTree(project.rootDir.absolutePath).include("**/*.java");
classpath = files()
pluginClasspath = project.configurations.findbugsPlugins
findbugs {
toolVersion = "3.0.0"
sourceSets = [sourceSets.main]
ignoreFailures = true
reportsDir = file("$project.buildDir/findbugsReports")
effort = "max"
reportLevel = "high"
includeFilter = file("$rootProject.projectDir/include.xml")
excludeFilter = file("$rootProject.projectDir/exclude.xml")
}
tasks.withType(FindBugs) {
reports {
xml.enabled = false
html.enabled = true
}
}
}

Related

Gradle spotbugs plugin

I am new to Gradle and trying to configure Spotbugs for my Spring Boot multi module project.
In my parent, build.gradle,
buildscript {
dependencies {
classpath "org.springframework.boot:spring-boot-gradle-plugin:${versionSpringBoot}"
}
}
plugins {
id 'com.github.spotbugs' version '1.6.8'
}
allprojects {
apply plugin: 'eclipse'
apply plugin: 'idea'
}
subprojects {
apply plugin: 'java'
apply plugin: 'io.spring.dependency-management'
apply plugin: 'pmd'
apply plugin: 'jacoco'
dependencyManagement {
imports {
}
}
configurations{
}
sourceCompatibility = '15'
targetCompatibility = '15'
dependencies {
}
pmd {
consoleOutput = true
toolVersion = "${versionPmd}"
sourceSets = [sourceSets.main]
ruleSets = ["category/java/errorprone.xml", "category/java/bestpractices.xml"]
}
spotbugs {
toolVersion = "${versionSpotBugs}"
sourceSets = [sourceSets.main]
}
jacoco {
toolVersion = "${versionJacoco}"
}
jacocoTestReport {
reports {
xml.enabled = true
}
}
tasks.withType(com.github.spotbugs.SpotBugsTask) {
reports {
xml.enabled = false
html.enabled = true
}
}
}
Spotbugs doesn't run on running
./gradlew check
The main issue with your build configuration is that you apply the SpotBugs plugin only to your root project. The following configuration solves that (leaving out configurations that are unrelated to the SpotBugs plugin for brevity):
plugins {
// we don’t need to *apply* the plugin to the root project, do we?
id 'com.github.spotbugs' version '4.7.0' apply false
}
subprojects {
apply plugin: 'java'
// this is the most important part, applying the plugin to the subprojects,
// too:
apply plugin: 'com.github.spotbugs'
spotbugs {
toolVersion = '4.2.2'
}
tasks.withType(com.github.spotbugs.snom.SpotBugsTask) {
reports {
xml.enabled = false
html.enabled = true
}
}
}
With this configuration, ./gradlew check also runs the SpotBugs tasks of subprojects (tested with Gradle 6.8.3).
Please note that I’ve also made a few other changes:
I’m using a recent version of the plugin as the one that you’ve used (1.6.8) is several years old and doesn’t seem to work with recent versions of Gradle.
I’ve removed the sourceSets configuration which is not needed and doesn’t work anyway.
I’ve replaced the fully qualified name of the task type with an up-to-date version.
I hope this helps. Please let me know if you’re stuck with the old SpotBugs version for some reason; knowing the Gradle version that you use would help in that case.
The below works (some adjustments to make it work locally)
gradle - 6.5.1
buildscript {
dependencies {
classpath "org.springframework.boot:spring-boot-gradle-plugin:2.4.3"
}
}
plugins {
id 'com.github.spotbugs' version '4.7.0'
}
import com.github.spotbugs.snom.SpotBugsTask
allprojects {
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: 'java'
apply plugin: 'io.spring.dependency-management'
repositories {
mavenCentral()
}
dependencyManagement {
imports {
}
}
configurations{
}
sourceCompatibility = '15'
targetCompatibility = '15'
dependencies {
}
spotbugs {
toolVersion = '4.2.1'
}
tasks.withType(SpotBugsTask) {
reports {
xml.enabled = false
html.enabled = true
}
}
}

CorDapp JaCoCo Code Coverage

I have a Corda based project with several CorDapp sub projects. I've been looking to add JaCoCo code coverage to this project. I'm looking to have a single code coverage report draw in an aggregate report of all the subproject JaCoCo reports.
To add JaCoCo to a maven project with several maven sub projects, I followed this blog entry https://lkrnac.net/blog/2016/10/aggregate-test-coverage-report/. After we ran the build ./gradlew clean test and got our reports, one of our team members noted that the whitelists weren't being created properly anymore when we ran ./gradlew clean deployNodes.
I've gone back to the base Kotlin CorDapp template found here https://github.com/corda/cordapp-template-kotlin to rule out if it's something we've done wrong with our project structure/gradle. Without JaCoCo added, I see all the whitelist entries I would expect. Once I add the JaCoCo code, I only see the 5 default Corda whitelist entries, and none of my added contract entries.
I'm using JaCoCo version 0.8.1 and coveralls version 2.6.3. The changes I've made are all within the build.gradle file for the root directory cordapp-template-kotlin:
subprojects {
repositories {
mavenCentral()
}
apply plugin: 'jacoco'
apply plugin: 'java'
group = 'net.lkrnac.blog'
version = '1.0-SNAPSHOT'
sourceCompatibility = JavaVersion.VERSION_1_8
targetCompatibility = JavaVersion.VERSION_1_8
dependencies {
testCompile("junit:junit:4.12")
}
jacoco {
toolVersion = jacoco_version
}
//command for generating subproject coverage reports
jacocoTestReport {
reports {
xml.enabled false
csv.enabled false
html.destination file("${buildDir}/jacocoHtml")
}
}
}
def publishedProjects = subprojects.findAll()
task jacocoRootReport(type: JacocoReport, group: 'Coverage reports') {
description = 'Generates an aggregate report from all subprojects'
dependsOn(publishedProjects.test)
additionalSourceDirs = files(publishedProjects.sourceSets.main.allSource.srcDirs)
sourceDirectories = files(publishedProjects.sourceSets.main.allSource.srcDirs)
classDirectories = files(publishedProjects.sourceSets.main.output)
executionData = files(publishedProjects.jacocoTestReport.executionData)
doFirst {
executionData = files(executionData.findAll { it.exists() })
}
reports {
html.enabled = true // human readable
xml.enabled = true // required by coveralls
}
}
coveralls {
sourceDirs = publishedProjects.sourceSets.main.allSource.srcDirs.flatten()
jacocoReportPath = "${buildDir}/reports/jacoco/jacocoRootReport/jacocoRootReport.xml"
}
tasks.coveralls {
dependsOn jacocoRootReport
}
I believe that the problem is coming from simply adding a task where JacocoReport as a parameter. Any thoughts how I could proceed to have both code coverage, along with building my whitelists correctly?
I have managed to find how to fix the coverage/whitelisting issue. I started stripping away what seemed to be unnecessary code within the subprojects spec, and found that removing everything except the apply plugin:, jacoco, and jacocoTestReport commands yielded both the root Jacoco code coverage, along with the necessary whitelisting. I didn't need to change any of the other code above to get the whitelisting to work.
For reference, subprojects now looks like this:
subprojects {
apply plugin: 'jacoco'
apply plugin: 'kotlin'
jacoco {
toolVersion = jacoco_version
}
//command for generating subproject coverage reports
jacocoTestReport {
reports {
xml.enabled false
csv.enabled false
html.destination file("${buildDir}/jacocoHtml")
}
}
}

not finding codenarc ruleset using build.gradle

Trying to apply codenarc to a spring boot project, however the gradle build is producing :codenarcMain NO-SOURCE. Please advise on what I am doing wrong.
1) Added plugins to build.gradle
apply plugin: 'groovy'
apply plugin: 'codenarc'
2) Then added the following to the build.gradle
codenarc {
ignoreFailures = true
}
codenarcMain {
reports {
html.enabled = true
}
configFile = file("$rootDir/config/codenarc/rules.groovy")
}
3) created rules definition in the file rules.groovy
$rootDir/config/codenarc/rules.groovy

Allure report is empty when use Allure2+Junit5+Gradle+Selenide

My build.gradle is:
apply plugin: 'java'
apply plugin: 'idea'
apply plugin: 'org.junit.platform.gradle.plugin'
apply plugin: 'io.qameta.allure'
defaultTasks 'clean', 'test'
ext.junitJupiterVersion = '5.0.0-M4'
ext.selenideVersion = '4.4.3'
compileTestJava {
sourceCompatibility = 1.8
targetCompatibility = 1.8
options.encoding = 'UTF-8'
options.compilerArgs += "-parameters"
}
compileJava.options.encoding = 'UTF-8'
tasks.withType(JavaCompile) {
options.encoding = 'UTF-8'
}
repositories {
jcenter()
mavenCentral()
}
buildscript {
repositories {
jcenter()
mavenCentral()
}
dependencies {
classpath 'org.junit.platform:junit-platform-gradle-plugin:1.0.0-M4'
classpath 'io.qameta.allure:allure-gradle:2.3'
}
}
allure {
aspectjweaver = true
autoconfigure = true
version = '2.1.1'
}
configurations {
agent
}
dependencies {
// JUnit5
compile("org.junit.jupiter:junit-jupiter-api:${junitJupiterVersion}")
compile("org.junit.jupiter:junit-jupiter-engine:${junitJupiterVersion}")
// Selenide
compile("com.codeborne:selenide:${selenideVersion}") {
exclude group: 'junit'
}
// Allure
agent 'org.aspectj:aspectjweaver:1.8.10'
compile 'ru.yandex.qatools.allure:allure-junit-adaptor:1.4.23'
compile 'io.qameta.allure:allure-junit5:2.0-BETA6'
}
junitPlatform {
platformVersion = "1.0.0-M5"
enableStandardTestTask = true
}
task runJupiter(type: JavaExec) {
jvmArgs '-ea'
jvmArgs "-javaagent:${configurations.agent.singleFile}"
classpath = project.sourceSets.test.runtimeClasspath
main 'org.junit.platform.console.ConsoleLauncher'
args '--scan-class-path'
args "--reports-dir=${buildDir}/allure-results"
finalizedBy 'allureReport'
}
test.dependsOn runJupiter
Tests are finished successfully and three folders are created automatically:
{projectDir}\allure-results with .json file
{projectDir}\build\test-results\junit-platform with TEST-junit-jupiter.xml file
{projectDir}\build\reports\allure-report
I tried to open .json and .xml result locally via allure command line (CLI). The allure report is opened but it is blank:
this is a report view
I suppose my mistake in gradle dependencies. I quite confused which libraries and versions should be used for JUnit5+Allure2+Gradle+Selenide+Java8?
The JUnit Platform Gradle plugin does currently not use the test task (it needs changes in Gradle core in order to do so). Thus, things like test.doFirst {...} are not going to work.
Instead of using the plugin, you should be able to create your own task that runs the ConsoleLauncher and add the JVM agent there. See https://stackoverflow.com/a/43512503/6327046 for an example.

Unable to run more than one plugins in gradle

I have configured pmd, checkstyle and findbugs plugins in gradle.build file as i want to maintain the quality the codeline.
Part of my build.gradle property is:
task wrapper(type: Wrapper) {
description = "Generates gradlew (for internal use only)"
gradleVersion = '1.5'
jarFile = 'wrapper/wrapper.jar'
}
subprojects {
apply plugin: 'java'
apply plugin: 'maven'
apply plugin: 'findbugs' //TODO: disable findbugs & checkstyle by default.
apply plugin: 'checkstyle'
apply plugin: 'pmd'
pmd.ignoreFailures = true
findbugs.ignoreFailures = true
findbugsMain.enabled = true
findbugsTest.enabled = true
checkstyleTest.enabled = true
checkstyleMain.enabled = true
checkstyle {
configFile = new File(rootDir, "config/checkstyle/checkstyle.xml")
ignoreFailures = true
}
My intention is to get all the warnings/errors for pmd, findbugs and checkstyle.
I am trying gradlew check but i am not able to see any certain behavior. At times findbugs alone runs.
Can anybody suggest where i am missing?
Thanks in advance,
Vijay Bhore
get you list the output of your
./gradlew check
invocation. Usually this should work, though enabling your tasks manually (e.g. 'findbugsMain.enabled = true') shouldnt be necessary.
cheers,
René

Resources