I have multiple projects bound by a single parent pom.
If i run fortify scan on parent pom using Maven fortify plugin, fpr files for each project is generated. I would like to have a single fpr file being generated for all the projects. Is it possible ?
Thanks and Regards,
Saurav
What you want to do is an aggregate build. Try setting the same build ID for each module and then pass the -Dfortify.sca.toplevel.artifactId as the artifactID of the parent POM. This should give you a single FPR file. It should look like:
mvn clean
mvn -Dfortify.sca.buildId=ACMEPortal com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:clean
mvn -Dfortify.sca.buildId=ACMEPortal package com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:translate
mvn -Dfortify.sca.Xmx=800M -Dfortify.sca.buildId=ACMEPortal -Dfortify.sca.toplevel.artifactId=AcmePortal com.fortify.ps.maven.plugin:sca-maven-plugin:<version>:scan
Related
My project structure looks like this:
services
A
a1
a2
pom.xml
B
b1
b2
pom.xml
pom.xml
I would like to scan the inner-most projects (a1,a2,b1,b2). In jenkins Post Steps, I added "Analysis properties" in Execute SonarQube Scanner without property files, mainly:
sonar.modules=A,B
sonar.sources=src
I would like to build from services directory, but it failed with this ERROR:
The folder 'src' does not exist for 'A:a1'
I understand, that SonarQube tries to find src inside the directory A, but I have a few nested projects like a1 (I also tried A.modules=a1,a2 without success)
How can I make the scanner analyze these projects?
this is my solution:
sonar.modules=A,B
A.sonar.modules=a1,a2
B.sonar.modules=b1,b2
sonar.projectBaseDir=.
sonar.sources=src
the key point is projectBaseDir ,I hope this can help someone meet the similar problem.
Use the maven goal sonar:sonar instead of a sonar.properties configuration, when analyzing maven projects with SonarQube.
You should not even have to change any analysis property, when using maven. The maven configuration will already give sonar information about source folders, etc. Check the official documentation on how to set it up. Usually you do not have to change the pom.xml of the projects for this (only you local maven settings.xml).
I have Jenkins setup using Multi SCM due to the way our code is structured with two main directories in the workspace. I'd like to use static analysis, PMD or another, but they can't find *.java due to the two main structures. How do I change the workspace or PMD so it can find my code in the two directories?
Not sure about PMD, but for SonarQube you can specify what code you analyze.
sonar.sources=./src/repo1,./src/repo2
You could also try checking out to a sub-directory to help with it.
e.g. checkout to a ./src/ diretory and analyze the whole directory.
I have a multi module project. There is a parent pom in which I have added the maven-dependency plugin to the plugin management section. I have not tied this plugin's execution to a phase. In one of the child modules pom.xml, I have added this same plugin with different configuration.
However when I execute from the command line
mvn dependency:copy
Then only my parent pom plugin configuration executes for the maven-dependency plugin and all the child modules are skipped. Why is this? Does inheritance work only if plugins are tied to a specific phase?
The simple answer to this is: If you try to run maven via command like you did you are calling a plugin but you will not run the life cyclce which is needed to get the inheritance mechanism take care of the pom files. In your examples if you would start the life cylce with something like:
mvn package
or something similar like:
mvn verify
all your sub modules would be visited during the life cyclce.
I know that, we can very well use ANT and Maven together to build the project.We can run ANT scripts through Maven's POM.xml. But my question is can we run pom.xml through ANT's build.xml ?
i.e. can we create maven build from build.xml
Yes, using maven ant tasks.
The page lists out multiple maven tasks which can be integrated into an ant build script, thus combining the features of both. To take an example, there is the mvn task, which as documented can do a full maven build from ant.
<artifact:mvn mavenHome="/path/to/maven-3.0.x">
<arg value="install"/>
</artifact:mvn>
Besides this, there are
Dependencies task
Install and Deploy tasks
Pom task
each described with examples.
Maven and ANT are very different build tools. In ANT you write all the logic yourself, whereas a standard build process is "baked in" with Maven.
The POM file contains no logic, instead it contains a series of declarations about your project.
If you understand well how Maven works, it is theoretically possible to take a POM and generate an ANT build that emulates the behaviour of the Maven build. I'm not aware of any solution which can easily convert in the other direction, mainly because ANT is missing Maven functionality, such as dependency management.
Instead of trying to convert an ANT build into Maven, I'd recommend that you keep your existing build logic and delegate the management of your classpath to the ivy or Maven ANT tasks. These tools also provide tasks to publish your build output to a Maven repository, enabling your project to share with other projects using Maven.
Finally, I'm an ivy advocate and wrote an ant2ivy script which can assist in upgrade process. It creates an initial set of configuration files for downloading your projects dependencies from the Maven central repository.
I have a Java project that is dependent on other Java projects that are siblings and there is a chain of dependencies. Each individual project has a build script written in Ant. For clarity find below a sample of the same.
EARProject depends on WebProject and EJBProject: The war file that is generated by the WebProject build and jar file that is generated by the EJBProject are needed to build the EARProject.
WebProject depends on ComponentOneProject: The jar file that is generated by the ComponentOneProject build is needed to build WebProject.
EJBProject depends on ComponentTwoProject: The jar file that is generated by the ComponentTwoProject build is needed to build EJBProject.
So, when I build the EARProject build, if the dependent war and jar have not been built yet, then it should kick-off the WebProject build and EJBProject build and if the ComponentOneProject is yet to be built, the build of ComponentOneProject needs to be kicked-off and so on.
Can someone suggest a clean method by which we can accomplish this?
Facing the same problem we at our company wrote a custom Groovy script that explores the full dependency tree ant generates the Ant build scripts based on all the .project, .classpath, .settings/* files. This wasn't as difficult as it might seem as first. This way we can build our products without (My)Eclipse on a clean CVS+JDK+Groovy virtual machine. Hope it helps..