I have an issue with running scan with excluding xsd files in fortify SCA.
I am using maven (with fortify plugin) + jenkins.
My POM.xml used by Jenkins:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>pl.bluecode</groupId>
<artifactId>bc</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<properties>
</properties>
<scm>
<connection>scm:svn:https://subversion......</connection>
<developerConnection>scm:svn:https://subversion.....</developerConnection>
<tag>HEAD</tag>
<url>https://subversion......</url>
</scm>
<profiles>
<profile>
<id>common</id>
<activation>
<activeByDefault>true</activeByDefault>
<property>
<name>!skipCommonProfile</name>
</property>
</activation>
<modules>
<module>Project1</module>
<module>Project2</module>
</modules>
</profile>
<profile>
<id>profile1</id>
<modules>
<module>Project3</module>
<module>Project4</module>
</modules>
</profile>
</profiles>
<build>
<sourceDirectory>${basedir}/src</sourceDirectory>
<finalName>${project.artifactId}</finalName>
<resources>
<resource>
<directory>${basedir}/src</directory>
<includes>
<include>**/*.properties</include>
</includes>
</resource>
<resource>
<directory>${basedir}/src</directory>
</resource>
</resources>
<pluginManagement>
<plugins>
<plugin>
<groupId>com.fortify.ps.maven.plugin</groupId>
<artifactId>maven-sca-plugin</artifactId>
<version>2.6</version>
<configuration>
<source>1.5</source>
<failOnSCAError>true</failOnSCAError>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
My Jenkins Maven goals looks like:
1st goal:
com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:clean -Pprofile1
2nd goal:
com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:translate -Pprofile1
3rd goal:
com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:scan -Pprofile1
Unfortunately I can not attach image.
Above configuration is working as expected till now.
Now, I'd like to exclude all XSD files from scan.
How to do it?
I tried to add -exclude ".xsd" entry in maven goals:
com.fortify.ps.maven.plugin:maven-sca-plugin:2.6:scan -Pprofile -exclude ".xsd"
but it doesn't work.
If someone can help we I would be grateful.
Thanks.
in theory the Fortify Maven Plugin supports the exclusion of files, but it doesn't always work as expected.
Now, that being said, you are not invoking the exclusion correctly. Where you built the Fortify Maven Plugin, find the documentation for the translate goal, e.g. for me: /Samples/advanced/maven-plugin/target/site/translate-mojo.html#exclude.
There you can find the correct way to invoke exclusion. On the command line:
"-Dfortify.sca.exclude=*.xsd"
or in the POM (if you set up the fortify translate job there)
<exclude>
*.xsd
</exclude>
Now back to my first point. Sometimes exclusion is more difficult to effect than just by setting the value as *.extension. You may also need to specify the directory as well, so if the above doesn't work, try also the Fortify special glob parameter "**" which means any recursive subdirectory match. To wit:
"-Dfortify.sca.exclude=**/*.xsd"
or
<exclude>
**/*.xsd
</exclude>
If neither of the above work, then contact Fortify Technical Support.
Pro tip: you can also set this value in Core/config/fortify-sca.properties, where it will affect every invocation of sourceanalyzer on the system. That includes invocations via the maven plugin.
Related
I need to build and deploy the war into glassfish using maven(Problem explained below).
Currently I managed to deploy the war using maven glassfish plugin and I've used the goal redploy as shown in the POM below:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>Myapp</groupId>
<artifactId>Myapp</artifactId>
<packaging>war</packaging>
<version>1.0</version>
<name>APP WEB APP</name>
<url>http://maven.apache.org</url>
<build>
<finalName>MyApp</finalName>
<plugins>
<plugin>
<groupId>org.glassfish.maven.plugin</groupId>
<artifactId>maven-glassfish-plugin</artifactId>
<configuration>
<terse>false</terse>
<echo>true</echo>
<debug>true</debug>
<glassfishDirectory>C:\glassfish3\glassfish</glassfishDirectory>
<user>admin</user>
<adminPassword>admin</adminPassword>
<domain>
<name>domain1</name>
<host>localhost</host>
<adminPort>4848</adminPort>
</domain>
<components>
<component>
<name>${project.artifactId}</name>
<artifact>${project.build.directory}/${project.build.finalName}.war</artifact>
</component>
</components>
</configuration>
<executions>
<execution>
<phase>install</phase>
<goals>
<goal>redeploy</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Problem: say there is already a war deployed and when I execute the command mvn clean install and something goes wrong during the deployment.Since I've used the goal as redeploy the war would 1st do a undeploy and then do a deploy.In my case this POM cannot be used for the next time because there is a failure and the war does not exist.
Help required
Please help me to achieve a check in POM whether the war is deployed or not and then based on the result I need to initiate goals deploy or undeploy which suites.
Say there is no war deployed i need to call glassfish:deploy in POM.
Thanks for your time in advance
Found my answer Here:
Redeploy remote glassfish with cargo fails
No matter there is or isn't a war deployed the cargo plugin takes care of the above mentioned problem.
Main Catch is adding
<cargo.runtime.args>force=true</cargo.runtime.args>
I have three maven projects in my prototype:
bookman (main project)
|-- bookman-back-lend (module, simple service app)
\-- bookman-front-web (module, simple web app)
This is very simple example book lending app (for library or something) to learn various technologies and all of that.
Problem is that I can't make parent pom to execute goals in module poms.
Calling mvn clean package wildfly:deploy in any module individually works without problem. It compiles, deploys, war is replaced, Wildfly 8 does its thing, etc. But if I call parent POM with mvn clean package (I'm not even sure what to call...), it doesn't do much - certainly it does not deploy to wildfly any of modules. Wildfly does not budge. In parent POM, calling mvn clean package wildfly:deploy does not work, of course.
Here is parent pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.mader.bookman</groupId>
<artifactId>bookman</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>pom</packaging>
<name>Main BookMan superproject.</name>
<description>Main BookMan superproject.</description>
<modules>
<module>bookman-front-web</module>
<module>bookman-back-lend</module>
</modules>
</project>
And module POMs, with some stuff cut out for brevity (I assume they aren't related to my problem).
bookman-front-web/pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>bookman-front-web</artifactId>
<packaging>war</packaging>
<name>Frontend project - webpage.</name>
<description>Web page to handle lending books.</description>
<parent>
<groupId>org.mader.bookman</groupId>
<artifactId>bookman</artifactId>
<version>0.0.1-SNAPSHOT</version>
</parent>
<properties>
...
</properties>
<repositories>
...
</repositories>
<dependencyManagement>
...
</dependencyManagement>
<dependencies>
...
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>
<defaultGoal>clean package wildfly:deploy</defaultGoal>
<plugins>
<plugin> <!-- To use, run: mvn clean package wildfly:deploy -->
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
</plugin>
</plugins>
</build>
</project>
And bookman-back-lend/pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>bookman-back-lend</artifactId>
<packaging>war</packaging>
<name>Backend project - lending.</name>
<description>Business logic to handle books, users and act of lending.</description>
<parent>
<groupId>org.mader.bookman</groupId>
<artifactId>bookman</artifactId>
<version>0.0.1-SNAPSHOT</version>
</parent>
<properties>
...
</properties>
<repositories>
...
</repositories>
<dependencyManagement>
...
</dependencyManagement>
<dependencies>
...
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>
<defaultGoal>clean package wildfly:deploy</defaultGoal>
<plugins>
<plugin> <!-- To use, run: mvn clean package wildfly:deploy -->
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
</plugin>
</plugins>
</build>
</project>
It should be possible to have customized goals to execute for each module individually, right? Right? Otherwise those aggregate POMs are rather useless.
Unfortunately, questions like this suggest that maven goal executed on parent POM is exactly same goal to execute on child POMs. Who thinks up something like that? What if I need completely different goals in each child module?
All answers I found are few years old, maybe... just maybe... sanity prevailed and maven now allows something like that? After all, all information neccessary to do this should be accessible, like defaultGoal tag.
Problem was solved in radical way. Maven is dead, long live Gradle.
I was tinkering with it last few days and I already moved prototype to point where it actually works. While there is still tons of work left, I already know I will not be looking back.
So, yeah... if you have requirements that cannot be done easily or at all with Maven for various reasons, then consider Gradle. In fact, consider Gradle anyway.
I have setup Maven and Sonar to analyze .NET projects and it works fine for winforms projects. However when I add an MVC project it gives a build Failure because it can't find the System.Web.MVC.dll file. I have an Fx-Cop plugin that runs as part of Sonar.
One way to get around this would be to package the dll, copy local= true with the project. However I dont want to do that(any thing wrong with packaging the MVC file along?)
How do I add a dependency to the MVC dll? I followed this example and added it like this:
<dependencies>
<dependency>
<groupId>artifact_group_id</groupId>
<artifactId>System.WEb.MVC</artifactId>
<version>4.0.30319</version>
<type>library</type>
<scope>system</scope>
<systemPath>C:\DOTNET\DLLS\System.Web.Mvc.dll</systemPath>
</dependency>
</dependencies>
Still I get a Build Failure caused by FX-Cop. Looking at the FX-Cop logs I get a message as below:
The following error was encountered while reading module 'MyTestMvcApp': Assembly reference cannot be resolved: System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35.
I'm using apache-maven-3.0.2 and sonar-3.2. Can anyone help with this?
This is the full POM.XML file
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>Test</groupId>
<artifactId>Sonar.For.NET.Test</artifactId>
<version>1.0</version>
<name>Testing </name>
<packaging>netpack</packaging>
<properties>
<visual.studio.solution>TestProjectsForSonarBuild.sln</visual.studio.solution>
<visual.test.project.pattern>*.Tests;*Test</visual.test.project.pattern>
<dotnet.tool.version>4.0</dotnet.tool.version>
<sonar.language>cs</sonar.language>
</properties>
<dependencies>
<dependency>
<groupId>artifact_group_id</groupId>
<artifactId>System.WEb.MVC</artifactId>
<version>4.0.30319</version>
<type>library</type>
<scope>system</scope>
<systemPath>C:\DOTNET\DLLS\System.Web.Mvc.dll</systemPath>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.sonar-plugins.dotnet</groupId>
<artifactId>maven-dotnet-plugin</artifactId>
<version>0.6</version>
<extensions>true</extensions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<configuration>
<toolVersion>3.5</toolVersion>
<buildConfigurations>Debug</buildConfigurations>
<rebuild>true</rebuild>
<language>cs</language>
</configuration>
</plugin>
</plugins>
</build>
</project>
Thanks for your time.
You can use the "sonar.fxcop.assemblyDependencyDirectories" property as described on the documentation page for the FxCop plugin.
So you have 2 solutions from there:
either your build process copies "System.Web.MVC.dll" in a temp folder, which you reference through the this property
or you directly reference an absolute path where this DLL can be found (but your property may then be not portable accros different environments/servers)
Setup Jenkins (with sonar plugin) and sonar (with cxx-plugin). There is a build step to create the "......./gcovr-reports/gcovr-result-test.xml" file. Problem is coverage results to not show up ob Snar dashboard. But it appears that sonar.runner is excuting .... but transcript does not show that CxxGcovrSensor is being run.
what errormessages do you get?
try importing your project using maven for more details on errormessges.
I had similar issues because my pom.xml was broken. below is a working one.
be sure your folder structure looks like this:
(you need to cd to base)
base=/some/folder/myProject/ <-- put pom.xml here
src_folder=/some/folder/myProject/src
reports_folder=/some/folder/myProject/reports (with all the subdirs for reports)
also be sure your reports are named lik: xunit-result-.xml
cd to /some/folder/myProject and mvn sonar:sonar
(mvn -X sonar:sonar for debug mode)
(btw. if you get strange errors try removing all irrelevant plugins from sonar/external/plugins (just leave cxx there)
do not forget to set JAVA_PATH for sonar
goto basefolder
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>NETICOA</groupId>
<artifactId>MYPROJECT</artifactId>
<version>5.3.10-myversion</version>
<packaging>pom</packaging>
<name>myProject</name>
<description>php svn code</description>
<!-- pom.xml extract -->
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cxx-maven-plugin</artifactId>
<version>0.0.5-SNAPSHOT</version>
<configuration>
<sourceDirs>
<sourceDir>${basedir}/src</sourceDir>
</sourceDirs>
<!-- All of the sub configuration nodes following are needed by sonar-cxx plugin -->
<!-- This sample provided values are default values. -->
<!-- So you can simple remove all of it if you provide reports in the right places -->
<xunit>
<directory>${basedir}/reports/xunit-reports</directory>
<includes>
<include>**/xunit-result-*.xml</include>
</includes>
</xunit>
<gcovr>
<directory>${basedir}/reports/gcovr-reports</directory>
<includes>
<include>**/gcovr-reports-*.xml</include>
</includes>
</gcovr>
<cppcheck>
<directory>${basedir}/reports/cppcheck-reports</directory>
<includes>
<include>**/cppcheck-result-*.xml</include>
</includes>
<reportsIncludeSourcePath>
<include>..</include>
</reportsIncludeSourcePath>
</cppcheck>
<cppncss>
<directory>${basedir}/reports/cppncss-reports</directory>
<includes>
<include>**/cppncss-result-*.xml</include>
</includes>
<reportsIncludeSourcePath>
<include>..</include>
</reportsIncludeSourcePath>
</cppncss>
<veraxx>
<directory>${basedir}/reports/vera++-reports</directory>
<includes>
<include>**/vera++-result-*.xml</include>
</includes>
<reportsIncludeSourcePath>
<include>..</include>
</reportsIncludeSourcePath>
</veraxx>
<valgrind>
<directory>${basedir}/reports/valgrind-reports</directory>
<includes>
<include>**/valgrind-result-*.xml</include>
</includes>
<reportsIncludeSourcePath>
<include>..</include>
</reportsIncludeSourcePath>
</valgrind>
</configuration>
</plugin>
</plugins>
<!-- We have our own <configuration><sourceDirs> node inside cxx plugin configuration -->
<!-- <sourceDirectory>${basedir}/sources</sourceDirectory> -->
</build>
<properties>
<sonar.language>c++</sonar.language>
<sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
</properties>
</project>
Could anayone give me some sugestions on how to create a pom.xml file for a multimodules project, that is build with ant? I need to create this pom.xml file in order to analyze the project with Sonar.
I suggest to follow the instructions from the Sonar documentation. See Analyzing Java Projects:
Project with multiple sources directories
If your non-maven project contains
more than one sources directory, you
can specify which sources directories
to analyse by adding a new section
about the Build Helper Maven Plugin
into your pom.xml file :
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>[YOUR.ORGANIZATION]</groupId>
<artifactId>[YOUR.PROJECT]</artifactId>
<name>[YOUR PROJECT NAME]</name>
<version>[YOUR PROJECT VERSION]</version>
<build>
<sourceDirectory>[YOUR SOURCE DIRECTORY]</sourceDirectory>
<outputDirectory>[YOUR CLASSES/BIN DIRECTORY</outputDirectory>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.5</source>
<target>1.5</target>
<excludes>
<exclude>**/*.*</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.1</version>
<executions>
<execution>
<id>add-source</id>
<phase>generate-sources</phase>
<goals>
<goal>add-source</goal>
</goals>
<configuration>
<sources>
<source>[YOUR SOURCE DIRECTORY 2]</source>
<source>[YOUR SOURCE DIRECTORY 3]</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
<properties>
<sonar.dynamicAnalysis>false</sonar.dynamicAnalysis>
<sonar.phase>generate-sources</sonar.phase>
</properties>
</project>
Replace the parameters :
...
And execute the maven2 plugin as explained in the installation guide :
mvn sonar:sonar
There is now a Sonar Ant Task that you can use, or there is also the Sonar Runner
What you put in the pom.xml is going to depend what dependencies you need to use and what plugins you need to run. Check out the Intro to POM to see what it is made up of.
I think you can try to use the builder-helper-maven-plugin, currently, latest version is 1.5.
as documented http://docs.codehaus.org/display/SONAR/Analyzing+Java+Projects. However, just change the plugin version to 1.5 and use mvn sonar3:sonar. Most importantly, dont forget <sonar.phase>generate-sources</sonar.phase>, without this, it doesn't work.
as for the output directory, if using eclipse, you can specify the output directory for each module, and make them point to the same folder. Use this folder as the outputdirectory for pom.xml. remember to disable scrub, if using eclipse.