To scan the dependencies of my project for known security vulnerabilities, I'm running the org.owasp:dependency-check-maven Maven plugin as part of a Jenkins pipeline build.
The plugin happily creates the report as XML in ${project.build.directory}/security-reports, and now I'd like to have it show up in the Test Results section of my pipeline build. Ideally, it would look like in these screenshots, but plain old xUnit output would probably be fine as well.
Unfortunately, I can't get it to work. I installed the OWASP Dependency-Check Jenkins plugin, which sounds just right according to its documentation. But it seems I cannot figure out how to configure it properly.
I also tried archiving the XML file like regular Junit results from my Jenkinsfile, using junit '**/target/security-reports/*.xml'. But the Junit step doesn't seem to recognise it and complains about not finding any reports.
Can anyone help?
To make Jenkins collect and display results of OWASP Dependency-check you need to have OWASP Dependency-Check plugin installed and to add Post-build Action step "Publish OWASP Dependency-Check analysis results".
You should provide the path to your XML file in settings for this step, by default **/dependency-check-report.xml is used.
I want to modify a jenkins plugin called Files Found Trigger. But after I downloaded the source code from github, I found there are lots of lines started with import hudson.XXX. And I have no clue where to get the hudson library.
I thought maybe I could find some information at Jenkins Plugin Tutorial. But it seems that the tutorial doesn't mention about where to get the library.
Anyone can help?
From here (Upgrading from Hudson to Jenkins):
Jenkins is basically a drop-in replacement to Hudson.
It's the continuation of the same code base, in same package structure. There has been no major surgery since the rename, and the rename really only affected what's shown in the UI. As such, it understands the same set of environment variables, same system properties, and the same information in the home directory. So if you rename jenkins.war as hudson.war, and simply overwrite your hudson.war, the upgrade is complete.
So my conclusion is: just rename hudson to jenkins.
There is no need to do anything, the Jenkins core has loads of references to java packages pointing to hudson.XXX. This is for legacy reasons, Jenkins used to be called Hudson. When the splitting of the project and renaming to Jenkins was done, the java package structure and names was kept in order to maintain backwards comparability for plugins (otherwise all plugins would have to be updated).
In case you've got compilation errors due to this, then something is wrong with your setup, ensure that the maven dependencies are correct as mishadoff says.
Every jenkins plugin should refer to parent object in pom.xml
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>2.21</version>
<relativePath />
</parent>
You can find more examples at official git plugin https://github.com/jenkinsci/git-plugin/blob/master/pom.xml#L3
UPDATE: The plugin Files Found Trigger you're trying to modify, uses parent dependency in pom.xml https://github.com/jenkinsci/files-found-trigger-plugin/blob/master/pom.xml#L4
All import hudson.* statements, come exactly from that lib:
First, I've attempted to use the kie-maven-plugin in the project parent:
<groupId>org.kie</groupId>
<artifactId>kie-maven-plugin</artifactId>
<version>6.1.0.Final</version>
<extensions>true</extensions>
but after further reading it doesn't sound like it actually precompiles the rules before placing them in the jar (and I don't see any sign of it doing so).
I also see that there is a drools verifier, however it seems that this only works to verify drl files within Java.
Is there a good way to compile / verify a drl file in a Maven build so that I don't deploy and run the webservice only to find that there is a typo in the drl file?
I'm currently using Eclipse Kepler w/ the Drools plugins, Maven 3.x and Drools 6.0.1.
I would guess that you forgot to specify the packaging as "kjar". If that is the case, the plugin won't be executed during the Maven build. Simply add <packaging>kjar</packaging> into you pom.xml.
Please see the example usage of the kie-maven-plugin: https://github.com/droolsjbpm/drools/blob/master/kie-maven-plugin-example/pom.xml
To best of my knowledge the kie-maven-plugin only verifies that the resources can be compiled. Running Drools verifier is not part of the execution.
If you are already using the "kjar" packaging, please post the entire pom.xml, otherwise it is hard to guess what is actually causing the described behavior.
I followed the steps on creating a report in eclipse (http://earlwillis.wordpress.com/2012/01/31/getting-started-with-junit-reports/), however the junitreport does not show up Edit configurations section at the end. What do I need to do to fix this?
You need to be using Maven or Ant to be generating the report for you. Maven's Surefire and Surefire report plugins will give you what you need. Alternatively, if you followed the steps in that document as you say, you just need to configure an ant build properly.
Does anyone have any idea if you can find source JARs on Maven repositories?
Maven Micro-Tip: Get sources and Javadocs
When you're using Maven in an IDE you often find the need for your IDE to resolve source code and Javadocs for your library dependencies. There's an easy way to accomplish that goal.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc
The first command will attempt to download source code for each of the dependencies in your pom file.
The second command will attempt to download the Javadocs.
Maven is at the mercy of the library packagers here. So some of them won't have source code packaged and many of them won't have Javadocs.
In case you have a lot of dependencies it might also be a good idea to use
inclusions/exclusions to get specific artifacts, the following command
will for example only download the sources for the dependency with
a specific artifactId:
mvn dependency:sources -DincludeArtifactIds=guava
Source: http://tedwise.com/2010/01/27/maven-micro-tip-get-sources-and-javadocs/
Documentation: https://maven.apache.org/plugins/maven-dependency-plugin/sources-mojo.html
Configuring and running the maven-eclipse plugin, (for example from the command line mvn eclipse:eclipse )
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<configuration>
<downloadSources>true</downloadSources>
<downloadJavadocs>true</downloadJavadocs>
</configuration>
</plugin>
</plugins>
</build>
If a project creates a jar of the project sources and deploys it to a maven repository, then you'll find it :)
Just FYI, sources artifacts are generally created by the maven-source-plugin. This plugin can bundle the main or test sources of a project into a jar archive and, as explained in Configuring Source Plugin:
(...) The generated jar file will be named by the value of the finalName plus "-sources" if it is the main sources. Otherwise, it would be finalName plus "-test-sources" if it is the test sources.
The additional text was given to describe an artifact ("-sources" or "-test-sources" here) is called a classifier.
To declare a dependency on an artifact that uses a classifier, simply add the <classifier> element. For example:
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate</artifactId>
<version>3.2.7.ga</version>
<classifier>sources</classifier>
</dependency>
Note that you generally don't do this, most IDEs provide support to download sources (and/or JavaDoc) from the main artifact without declaring explicitly a dependency on them.
Finally, also note that some repository search engines allow searching for artifacts using the classifier (at least Nexus does with the advanced search). See this search for example.
The maven idea plugin for IntelliJ Idea allows you to specify whether or not sources and java doc should be resolved and downloaded
mvn idea:idea -DdownloadSources=true -DdownloadJavadocs=true
To download any artifact use
mvn dependency:get -Dartifact=groupId:artifactId:version:packaging:classifier
For Groovy sources this would be
mvn dependency:get -Dartifact=org.codehaus.groovy:groovy-all:2.4.6:jar:sources
For Groovy's javadoc you would use
mvn dependency:get -Dartifact=org.codehaus.groovy:groovy-all:2.4.6:jar:javadoc
This puts the given artifact into your local Maven repository, i.e. usually $HOME/.m2/repository.
dependency:sources just downloads the project dependencies' sources, not the plugins sources nor the sources of dependencies defined inside plugins.
To download some specific source or javadoc we need to include the GroupIds - Its a comma separated value as shown below
mvn dependency:sources -DincludeGroupIds=com.jcraft,org.testng -Dclassifier=sources
Note that the classifier are not comma separated, to download the javadoc we need to run the above command one more time with the classifier as javadoc
mvn dependency:sources -DincludeGroupIds=com.jcraft,org.testng -Dclassifier=javadoc
you can find info in this related question: Get source jar files attached to Eclipse for Maven-managed dependencies
if you use the eclipse maven plugin then use 'mvn eclipse:eclipse -DdownloadSources=true'
if you're using eclipse you could also open Preferences > Maven and select Download Artifact Sources, this would let the pom.xml intact and keep your sources or java docs (if selected) just for development right at your machine location ~/.m2
In Eclipse
Right click on the pom.xml
Select Run As -> Maven generate-sources
it will generate the source by default in .m2 folder
Pre-Requisite:
Maven should be configured with Eclipse.
In eclipse - click on the project then:
.
You can, if they are uploaded. Generally they are called "frameworkname-version-source(s)"
NetBeans, Context-Click
In NetBeans 8 with a Maven-driven project, merely context-click on the jar file list item of the dependency in which you are interested. Choose Download Sources. Wait a moment and NetBeans will automatically download and install the source code, if available.
Similarly you can choose Download Javadoc to get the doc locally installed. Then you can context-click some code in the editor and choose to see the JavaDoc.
Based on watching the Maven console in Eclipse (Kepler), sources will be automatically downloaded for a Maven dependency if you attempt to open a class from said Maven dependency in the editor for which you do not have the sources downloaded already. This is handy when you don't want to grab source for all of your dependencies, but you don't know which ones you want ahead of time (and you're using Eclipse).
I ended up using #GabrielRamierez's approach, but will employ #PascalThivent's approach going forward.
If you know the groupId and aritifactId,you can generate download url like this.
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
http://central.maven.org/maven2/ch/qos/logback/logback-classic/
and you will get a page like this, chose the version you need,just enjoy it!
I have also used the eclipse plugin to get the project into the eclipse workspace.
Since I've worked on a different project I saw that it is possible to work with eclipse but without the maven-eclipse-plugin. That makes it easier to use with different environments and enables the easy use of maven over eclipse. And that without changing the pom.xml-file.
So, I recommend the approach of Gabriel Ramirez.
Maven repositories do provide simple way to download sources jar.
I will explain it using a demonstration for "spring-boot-actuator-autoconfigure".
Go to maven repository -
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure
The page lists various versions. Click-on to desired one, let's say, 2.1.6.RELEASE - https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure/2.1.6.RELEASE
The page have link "View All" next to "Files". Click it -
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-actuator-autoconfigure/2.1.6.RELEASE/
The page lists various files including the one for sources -
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-actuator-autoconfigure/2.1.6.RELEASE/spring-boot-actuator-autoconfigure-2.1.6.RELEASE-sources.jar
Otherwise, you can always "git clone" the repo from github, if its there and get the specific code.
As explained by others, you can use "mvn dependency:sources" command the get and generate sources jar for the dependency you are using.
Note: Some dependencies will not have sources.jar, as those contains no source code but a pom file. e.g. spring-boot-starter-actuator.
As in this case:
Starter POMs are a set of convenient dependency descriptors that you can include in your application. You get a one-stop-shop for all the Spring and related technology that you need, without having to hunt through sample code and copy paste loads of dependency descriptors.
Reference: Intro to Spring Boot Starters
In IntelliJ IDEA you can download artifact sources automatically while importing by switching on Automatically download Sources option:
Settings → Build, Execution, Deployment → Build Tools → Maven → Importing
If you want find the source jar file for any of the artifact manually, go to maven repository location for the particular artifact and in Files click on 'view All'. You can find source jar file.
For debugging you can also use a "Java Decompiler" such as: JAD and decompile source on the fly (although the generated source is never the same as the original). Then install JAD as a plugin in Eclipse or your favorite IDE.
If you're using Eclipse, I would recommend downloading both the source and the Javadocs of third-party libraries.
Right click on project and download both as per the screenshot below.
Downloading Javadocs means that typically you can get contextual help for methods from third-party libraries, with useful description of parameters, etc. This is essential if you don't know the library well. In some cases I have found that Javadocs are available when the source isn't.