I have a multi-module maven project which seems to have correctly generated OWASP dependency reports at both the parent and child module /target dirs using the org.owasp:dependency-check-maven plugin as so:
However, referencing the plugin docs, and executing the sonar-maven-plugin as below, I just can't work out what the correct command should be, any combination seems to lead to a build failure:
mvn sonar:sonar -Dsonar.sources=? -Dsonar.dependencyCheck.reportPath=?
Can anyone explain how to configure a multi-module maven project and have Sonar recognise the OWASP dependency reports?
Below is a screenshot of the starting point - we've had a CI pipeline up and running producing separate unit and integration test coverage stats for each of the submodules for some time.
Ok, so have contacted the author and the dependency-check-sonar-plugin doesn't work with a multi-module maven project.
So we are just going to produce a static artefact in a one-off fashion and not attempt to integrate with our CI pipeline.
Related
I am using below commands to build my maven code.
Compile-
-DargLine="-DDB_SERVER=localhost -DDB_PORT=5432 -DDB_NAME=sample -DDB_USER=sample -DDB_PASSWORD=sample -DDB_MAX_POOL=10" -Dcom.sample.redis=false clean compiler:compile
Unit-Test Analysis-
DargLine=-DDB_SERVER=localhost -DDB_PORT=1234 -DDB_NAME=sample -DDB_USER=sample -DDB_PASSWORD=sample -DDB_MAX_POOL=10 -Dcom.sample.redis=false -Dcobertura:cobertura-integration-test -Dcobertura.aggregate=false -Dcobertura.report.format=xml integration-test test
And using below sonar properties to capture xml to publish in sonar.
sonar.projectKey=sample
sonar.projectName=sample
sonar.projectVersion=$PipelineId
sonar.modules=admin,client-api,common,om,serviceproviders
sonar.cobertura.reportPath=target/site/cobertura/coverage.xml
sonar.sources=.
sonar.skipPackageDesign=true
sonar.sourceEncoding=UTF-8
Being Multi module the code coverage is showing only 9.4%. Am I missing anything. I don't see any error logs as well.How can I achieve the same using coverage tool like Jacoco.
SonarQube - Version 5.1.1 - LGPL v3
Maven has a lifecycle Maven Lifecycle where each of the targets includes the ones before it. e.g. "test" includes "compile", "integration-test" includes "test", etc. You generally need to only include the target at the tip of the lifecycle. e.g. "mvn test" means (compile AND run the tests).
I'm thinking you want to run the "mvn verify" goal, which is compile, run tests and integration tests, and then run verifications (coverage checks, etc). Cobertura has a plugin that should integrate with maven and tap into various goals to run its pieces at appropriate times. I'm guessing you are messing up cobertura by having multiple targets and trying to break it into pieces - i.e. overwriting the instrumentation or something.
Similarly, you might find using jacoco easier than cobertura. It hides the instrumentation, and integrates pretty seemlessly with maven.
Good luck.
I have a multi module maven project ('assembler'), and I would like to add a FindBugs phase.
The problem is that some of the projects are not able to build stand alone since have dependencies on other projects... however when I invoke mvn package from the 'assembler' project - it works fine and all inner dependencies are resolved.
The problem is that when mvn findbugs:findbugs command is executed, those inner dependencies are not resolved, and maven complains.
Searching Google, I found a way to make it work, using mvn install, but I do not like this approach since eventually this should be used in CI with Jenkins and I do not want to rely on local maven repo on the build server.
Will appreciate hearing your ideas.
Thanks.
Don't be afraid of mvn install, it is your friend. What you need is to set up a centralized Maven repository (such as Nexus or Artifactory) or rent one (such as Bintray) to which you deploy your Maven artifacts to.
Jenkins or any other decent CI engine can do the actual deploying for you, either natively or through Maven. Once deployed, other users - Jenkins included - will be able to resolve their dependencies and you will be able to run FindBugs, PMD, JaCoco, host Javadoc or pretty much anything you want.
Side-note: Don't get confused by the term deploy as most people new to Maven usually get. In context of Maven, it has absolutely nothing to with your target environment. It simply means that an artifact is pushed out to a remote repository and nothing else.
I have a multimodule Maven project, it is analyzed using the Sonar Maven runner and coverage is done with Jacoco. For our integration tests we want to see the coverage across all modules (because they are integration tests after all).
Therefore we configure the jacoco-it.exec file to be in ${user.dir}, with the appendproperty to true. This way all modules append their information to the same location and coverage is calculated over all modules.
But since append is true the file will still be there on a next run, since it isn't placed in a directory that maven cleans. This leads to incorrect coverage reports.
What is the best way to clean up this file after a sonar run? Ideally I would like to configure this in the same pom profile as our jacoco/sonar configuration, so that no other projects need to remember to set a clean step in Jenkins or whereever. The sonar/jacoco configuration is in a company wide parent pom file.
Since you are using Maven, you could try and use the maven-antrun-plugin to delete the file.
I don't know how you run Sonar Maven, but you can either bind the maven-antrun-plugin task to a phase after the one the Sonar Maven Runner is bound to (and you would have the file deleted automatically and the end of each run) or you can call the maven-antrun-plugin from the command line.
I'm trying to run 'mvn clean install' in a sub-module of a multi-module project. The project is Jacoco but I assume it's more an issue of me not understanding how Maven is being used here than an issue with Jacoco itself.
https://github.com/jacoco/jacoco/blob/master/jacoco-maven-plugin.test/it/it-site/pom.xml
I get the following error:
[ERROR] Plugin #project.groupId#:jacoco-maven-plugin:#project.version#
or one of its dependencies could not be resolved: Failed to read
artifact descriptor for
#project.groupId#:jacoco-maven-plugin:jar:#project.version#
I see the following in the pom:
<groupId>#project.groupId#</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
I'm not familiar with using the # symbol in #project.groupId# although i assume it is somehow supposed to get substituted at runtime.
I can run Maven from the top level pom and I even see [INFO] Building: it-site/pom.xml in the log but a target directory is not created there.
A nudge in the right direction would be appreciated.
This probably has something to do with the pom file here: https://github.com/jacoco/jacoco/blob/master/jacoco-maven-plugin.test/pom.xml
It is using a plugin called the maven invoker.
The Invoker Plugin is used to run a set of Maven projects. The plugin can determine whether each project execution is successful, and optionally can verify the output generated from a given project execution.
And if you read about filtering files with this plugin, it mentions:
POM files selected by the include/exclude patterns. The tokens to be filtered must be enclosed in #...# to avoid interferences with Maven's normal POM interpolation, i.e. use #project.version# instead of ${project.version}.
Regarding why the Invoker Plugin and filtering is being used here...
The Spring Boot documentation provides some relevant background on why that is. Although the docs are for Spring Boot, i think it applies to testing all plugins (which Jacoco is).
Multi-module Maven builds cannot directly include maven plugins that
are part of the reactor unless they have previously been built. ...
The standard build works around this restriction by launching the
samples via the maven-invoker-plugin so that they are not part of the
reactor.
The sample application are used as integration tests during the build
(when you mvn install). Due to the fact that they make use of the
spring-boot-maven-plugin they cannot be called directly, and so
instead are launched via the maven-invoker-plugin.
I've set up a Bamboo server and made a test project and plan with a Maven build task.
But this task doesn't produce any artifacts (except, maybe, test results, which I've unchecked). And I'd like to have all maven artifacts to be attached to the build results, like it is done in Hudson.
How to do that?
You can find some info on the Bamboo documentation.
This is for the latest Bamboo release (v3.4).
Also, are you running Maven with the goal package (or install) ?