In my project I use dependency-check-maven to run OWASP verifications. Project contains several java modules and a front end module. Configuration in pom is basic one like this
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.3.2</version>
<configuration>
<failBuildOnCVSS>4</failBuildOnCVSS>
<suppressionFiles>
<suppressionFile>owasp-suppressions.xml</suppressionFile>
</suppressionFiles>
<cveUrlBase>...</cveUrlBase>
<cveUrlModified>...</cveUrlModified>
<format>ALL</format>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<cveValidForHours>24</cveValidForHours>
</configuration>
</plugin>
Is it possible to configure the plugin such way that it ignores my front end module but analyses all other ones?
I try to run mvn -Dowasp.dependency-check.excludes=frontend-1.0.1-SNAPSHOT.jar org.owasp:dependency-check-maven:aggregate in the root folder of my project but verification is done in frontend as well
I've the same issue to ignore some javascript modules to be analyzed by the dependency check.
As you can see at https://github.com/jeremylong/DependencyCheck/issues/1009 the developers have an open PR to resolve this request.
I've solved this by not building the javascript module:
mvn verify -pl '!frontend'
It's just a workaround to get the results of the dependency-check locally.
Maybe there exists better ideas?
Related
Some time between the 11th September and the 14th September, running sonar through our travis build started failing with an org.eclipse.dawnsci.targetplatform should be relative to project baseDir error:
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.3.0.603:sonar (default-cli) on project org.eclipse.scanning: Dir /home/travis/build/eclipse/org.eclipse.dawnsci/org.eclipse.dawnsci.targetplatform should be relative to project baseDir -> [Help 1]
Looking through the pom.xml the org.eclipse.dawnsci module does stand out as being different to all of the others:
<modules>
<module>org.eclipse.scanning.target.platform</module>
<module>../org.eclipse.dawnsci</module>
<module>org.eclipse.scanning.api</module>
...
</modules>
I have tried updating sonar-project.properties from
sonar.exclusions=**/*.xml,**/*.class
to each of the following:
sonar.exclusions=**/*.xml,**/*.class,../org.eclipse.dawnsci
sonar.exclusions=**/*.xml,**/*.class,org.eclipse.dawnsci*
sonar.exclusions=**/*.xml,**/*.class,org.eclipse.dawnsci**
but none of these changes helped.
After previous problems I have added --fail-never to the mvn -q sonar:sonar command in .travis.yml so this problem won't prevent pull requests being merged, but it would be nice to have sonar reports on our repo again.
Any suggestions about how I can fix our travis build would be appreciated?
We changed the way we validate project layout, and it leads to this error. A ticket was created to track this change, and we are currently discussing options (like updating the SonarQube Scanner for Maven). Feel free to follow it for updates, and sorry for the inconvenience.
For your specific case, one workaround is to create a build profile, and exclude module ../org.eclipse.dawnsci when running the SonarCloud analysis. Or move the module to be under the project basedir (and avoid using .. in module location).
As a side note, there is no point maintaining the file sonar-project.properties if you are using the Scanner for Maven (mvn sonar:sonar) since the Scanner for Maven will only read configuration from pom.xml.
As suggested by Julien H. - SonarSource Team adding a profile did solve this problem.
In the pom.xml I changed
<modules>
<module>org.eclipse.scanning.target.platform</module>
<module>../org.eclipse.dawnsci</module>
...
</modules>
to
<profiles>
<profile>
<id>externalModules</id>
<activation><activeByDefault>true</activeByDefault></activation>
<modules>
<module>../org.eclipse.dawnsci</module>
</modules>
</profile>
</profiles>
<modules>
<module>org.eclipse.scanning.target.platform</module>
...
</modules>
so that the module is included by default.
I then added -P !externalModules to my mvn sonar:sonar command in .travis.yml so that it was excluded when running sonar analysis.
I stumbled over the same problem and finally came to the conclusion that this has all been fixed in the latest sonar-maven-plugin 3.4. You can simply upgrade your dependency to this:
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.4.0.905</version>
</plugin>
I'm using Eclipse 4.4.1 with m2e plugin and the latest gae dependencies. When I import the gae module sample project eclipse tells me that the project configuration is not up to date. If I run the suggested maven -> update project, I get a NPE.
There are a lot of bug reports according NPE on project updates out there. So far I've tried it with mvn eclipse:eclipse or maven project imports, in fresh or existing workspaces but I was never able to get the projects running in eclipse.
Are there any solutions to this?
EDIT:
That is the stacktrace:
java.lang.NullPointerException at
com.google.appengine.eclipse.wtp.maven.GaeRuntimeManager.getGaeRuntime(GaeRuntimeManager.java:85)
at
com.google.appengine.eclipse.wtp.maven.GaeRuntimeManager.ensureGaeRuntimeWithSdk(GaeRuntimeManager.java:55)
at
com.google.appengine.eclipse.wtp.maven.GaeFacetManager.addGaeFacet(GaeFacetManager.java:59)
at
com.google.appengine.eclipse.wtp.maven.GaeProjectConfigurator.configure(GaeProjectConfigurator.java:46)
at
org.eclipse.m2e.core.project.configurator.AbstractLifecycleMapping.configure(AbstractLifecycleMapping.java:120)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager$3.call(ProjectConfigurationManager.java:477)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager$3.call(ProjectConfigurationManager.java:1)
at
org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:166)
at
org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:142)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager.updateProjectConfiguration(ProjectConfigurationManager.java:470)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager.configureNewMavenProjects(ProjectConfigurationManager.java:250)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager$1.call(ProjectConfigurationManager.java:163)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager$1.call(ProjectConfigurationManager.java:1)
at
org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:166)
at
org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:142)
at
org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:96)
at
org.eclipse.m2e.core.internal.embedder.MavenImpl.execute(MavenImpl.java:1348)
at
org.eclipse.m2e.core.internal.project.ProjectConfigurationManager.importProjects(ProjectConfigurationManager.java:133)
at
org.eclipse.m2e.core.ui.internal.wizards.ImportMavenProjectsJob$1.doCreateMavenProjects(ImportMavenProjectsJob.java:73)
at
org.eclipse.m2e.core.ui.internal.wizards.AbstractCreateMavenProjectsOperation.run(AbstractCreateMavenProjectsOperation.java:62)
at
org.eclipse.m2e.core.ui.internal.wizards.ImportMavenProjectsJob.runInWorkspace(ImportMavenProjectsJob.java:82)
at
org.eclipse.core.internal.resources.InternalWorkspaceJob.run(InternalWorkspaceJob.java:38)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
You can comment out the appengine-maven-plugin to solve the problem, but by doing that you lose the command-line capabilities of the plugin. You can have the best of both worlds (Eclipse and Maven command-line) by using Maven profiles:
<profiles>
<profile>
<id>gae</id>
<build>
<plugin>
<groupId>com.google.appengine</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>${appengine.target.version}</version>
</plugin>
</build>
</profile>
</profiles>
To activate it, for instance, to deploy the project from the command-line, you can do:
mvn appengine:update -P gae
When defining the appengine-maven-plugin only inside a profile, Eclipse won't use it, and the bug goes away. When using the command-line, just remember to activate it using the -P flag.
I had the same problem suddenly appear in one of my projects. Disabling the JPA validator seems to have resolved the issue for now.
Select Windows > Preferences > Validation
Disable the JPA Validator for both Manual validation and Build validation
It might be related to the "The persistence.xml file does not have recognized content" error described in here: www-01.ibm.com/support/docview.wss?uid=swg21616684 .
I had the same issue after updating from Eclipse Kepler (4.3) to Luna (4.4). Commenting out the app-engine-maven plugin from my pom.xml fixed it for me.
<!--
<plugin>
<groupId>com.google.appengine</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>${appengine.target.version}</version>
</plugin>
-->
I'm able to run and deploy my app without any issues so far.
seem to be a duplicate of An internal error occurred during: "Updating Maven Project". java.lang.NullPointerException
got to preferences / Server / Runtime Environemnt
--> select "Google App Engine" and associate a valid SDk to this runtime.
I have a eclipse plugin that contains JUnit Tests developed using SWTBot.
I'm trying to run the test against a eclipse installation using tycho-surefire-plugin on a hadless mode. Here is my maven conviguration:
<plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-surefire-plugin</artifactId>
<version>${tycho-version}</version>
<configuration>
<useUIThread>false</useUIThread>
<testRuntime>p2Installed</testRuntime>
<work>${work.dir}</work>
<useUIHarness>true</useUIHarness>
<useUIThread>false</useUIThread>
<argLine>${ui.test.args}</argLine>
<appArgLine>${ui.test.vmargs}</appArgLine>
<application>com.myapplication</application>
</configuration>
</plugin>
I'm running test using:
mvn verify
Everything is ok except that fact that if I'm doing some code change on my plugin the newer version of the code is not deployed into eclipse installation.
Before running mvn verify I'm running a mvn install command.
If I'm adding a new test class I get
Caused by: org.apache.maven.surefire.util.NestedRuntimeException: Unable to create test class 'com.tests.MyNewClassTest'; nested exception is java.lang.ClassNotFoundException:
I there any configuration that I'm missing. How can I redeploy test plugin?
Incremental builds, i.e. builds without clean require that the build plug-ins correctly cope with the build results in the target folder from the previous execution. This is apparently not the case for the tycho-surefire-plugin.
I am trying to create an OSGi bundle and integrate it into eclipse. I am using the maven-pax-plugin to create the bundles. These are the steps I follow
I create an osgi project using pax
mvn org.ops4j:maven-pax-plugin:create-project -DgroupId=org.sonatype.mcookbook -DartifactId=osgi-project -Dversion=1.0-SNAPSHOT
and then create a bundle
mvn pax:create-bundle -Dpackage=org.sonatype.mcookbook -Dname=osgi-bundle -Dversion=1.0-SNAPSHOT
and then try to import the maven project into eclipse (file/import/existing maven project) the bundle project created in the second step always gives me this error
maven-pax-plugin:1.5:compile (1 error)
Execution default-compile, in org.sonatype.mcookbook/pom.xml
maven-pax-plugin:1.5:testCompile (1 error)
Execution default-testCompile, in org.sonatype.mcookbook/pom.xml
When I select one of the errors the description says
No marketplace entries found to handle Execution default-compile, in org.sonatype.mcookbook/pom.xml in Eclipse. Please see Help for more information.
If i ignore the error and import the project anyway this is what eclipse complains about
Plugin execution not covered by lifecycle configuration: org.ops4j:maven-pax-plugin:1.5:compile (execution: default-compile, phase: compile)
Has anyone seen this? any ideas how to fix it?
I am following this tutorial but adding integration with eclipse. Note however that if I build it with maven and don't use eclipse at all it all works fine, the problem is in eclipse/m2e
I am using Eclipse Indigo SR2 and m2e 1.0.200
I get rid of this problem by following the comment in the generated POM and move the <extensions>true</extensions> down to the maven-bundle-plugin below giving:
...
<plugins>
<plugin>
<groupId>org.ops4j</groupId>
<artifactId>maven-pax-plugin</artifactId>
<version>1.4</version>
<!--
| enable improved OSGi compilation support for the bundle life-cycle.
| to switch back to the standard bundle life-cycle, move this setting
| down to the maven-bundle-plugin section
-->
<!-- WAS HERE -->
</plugin>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>1.4.3</version>
<!--
| the following instructions build a simple set of public/private
| classes into an OSGi bundle
-->
<extensions>true</extensions> <!-- MOVED HERE :-) -->
<configuration>
...
Then update the project (Right click on project name in Project Explorer: Maven -> Update Project...), wait for the build to complete and the error is gone.
Hope that helps!
The new m2eclipse versions require that every plugin that affects the build is supported using a m2eclipse plugin. So the maven-pax-plugin is not yet supported. As this basically happens with most maven plugins out there I still use the old m2eclipse version.
Unfortunately the old version 0.12 download seems to have been removed recently. So probably you will have to wait till maven-pax-plugin is supported.
I'm using the GWT Maven plugin from Codehaus with m2eclipse. Where is my web.xml file supposed to end up? Isn't the Maven build supposed to copy it to the /war directory? I can't see it there. Or does Jetty pick it up automatically from src/main/webapp/WEB-INF/?
Here's a relevant section from my pom.xml.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<warSourceDirectory>war</warSourceDirectory>
<webXml>src/main/webapp/WEB-INF/web.xml</webXml>
</configuration>
</plugin>
I believe web.xml (and everything else under src/main/webapp/) gets copied into target/<projectname>-<version>/ during the normal maven lifecycle (For example, when you run mvn install).
If you're running any of the gwt-maven plugin goals, then check out this link.
When running gwt:run, if you want to run the full web app just as if you have built and deployed a war, I found the best way is to add the following to the configuration for the gwt-maven plugin:
<hostedWebapp>
${project.build.directory}/${project.build.finalName}
</hostedWebapp>
This tells gwt-maven plugin to look for the web.xml (and all the other parts of the war file) under target/<projectname>-<version>/. So make sure to either run mvn install first (or mvn war:exploded), then run mvn gwt:run and you should be set.