Test Harness, how to wire a MavenProjectHelper
Hi, Please could someone explain how to wire a MavenProjectHelper into my mojo using the test harness? I try to wire it using the test pom, however it seems the MavenProjectHelpers dependencies are not satisfied. Here's the line in my test POM: https://github.com/zenlambda/fabric8/blob/mule-enable_fabric_deploy/fabric8-maven-plugin/src/test/resources/unit/forked-project-attachments/mule-test/pom.xml#L38 Here is the test: https://github.com/zenlambda/fabric8/blob/mule-enable_fabric_deploy/fabric8-maven-plugin/src/test/java/io/fabric8/maven/ForkedTestValidatorTest.java#L30 The mojo I am trying to execute fails here: https://github.com/zenlambda/fabric8/blob/mule-enable_fabric_deploy/fabric8-maven-plugin/src/test/java/io/fabric8/maven/probes/AttachZipMojo.java#L52 Because of a null pointer exception here: https://github.com/apache/maven/blob/maven-3.0.5/maven-core/src/main/java/org/apache/maven/project/DefaultMavenProjectHelper.java#L70 presumably because the requirement wasn't satisfied. https://github.com/apache/maven/blob/maven-3.0.5/maven-core/src/main/java/org/apache/maven/project/DefaultMavenProjectHelper.java#L40 Stacktrace: java.lang.NullPointerException at org.apache.maven.project.DefaultMavenProjectHelper.attachArtifact(DefaultMavenProjectHelper.java:70) at io.fabric8.maven.probes.AttachZipMojo.execute(AttachZipMojo.java:52) at io.fabric8.maven.ForkedTestValidatorTest.testNoApparentAttachmentsWhenMojoForksLifecycle(ForkedTestValidatorTest.java:37) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:84) at org.junit.runner.JUnitCore.run(JUnitCore.java:160) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:74) at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:211) at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:67) Why isn't plexus satisfying the requirement? Thanks, Frank - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
RE: Maven, Dependencies and Vulnerabilities
Thanks! This looks like it covers the most important part of what I'm looking for. -Original Message- From: Mark Derricutt [mailto:m...@talios.com] Sent: Tuesday, September 30, 2014 5:04 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities On 1 Oct 2014, at 7:44, David Dillard wrote: Hi, I've been working on an internal presentation on how letting Maven's dependency mediation feature select versions of transitive dependencies can introduce vulnerabilities into a product and how to deal with that problem. Unfortunately, it's a very manual process and I was thinking that perhaps changes could be made to Maven that would provide better automation. To that end I'm wondering if the team has ever considered adding a section to the POM that would list significant changes in that release. This would include a list of vulnerabilities fixed (e.g. CVE--) or serious bugs fixed. Each one could include a known set of versions affected (ala how CVEs work today) thus allowing tooling to say: the version of artifact XYZ you're using has a known vulnerability, would you like to upgrade to this new version with that vuln fixed? There already exists a plugin covering a lot of this, using the CVE databases: https://github.com/jeremylong/DependencyCheck This comes with a CLI, Jenkins, Maven, and Ant tasks for checking your dependencies/jars against CVE vulnerabilities. Does this cover all the things you're working on? Maybe join forces? Mark - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
RE: Maven, Dependencies and Vulnerabilities
I'm familiar with Black Duck and an older version of Palamida. The problem with them is that you see the vulnerabilities later in the dev cycle (usually). If done with Maven it could be a part of the build and thus found earlier. I like the idea of including the CPE in the POM and that would make finding CVEs easy enough. Only issue there is, as you noted, that projects would have to submit to get their CPE before they have any vulnerabilities. Has anyone suggested this before? -Original Message- From: Jeremy Long [mailto:jeremy.l...@gmail.com] Sent: Tuesday, September 30, 2014 3:53 PM To: Maven Users List Subject: Re: Maven, Dependencies and Vulnerabilities There are commercial solutions (sonatype, contrast, blackduck, palamida, etc.) and FOSS solutions (dependency-check, victims, retire.js, etc.) to identify and report on known vulnerabilities. I would recommend looking at these solutions (note, I am the main contributed to dependency-check). A better solution for the POM modification would be to add a CPE identifier. This would also be a great entry for a jar file's manifest. CPE identifiers can be requested even if there are no known CVEs, but the CPE can be used to lookup the related CVEs. -jeremy @ctxt On Sep 30, 2014 2:45 PM, David Dillard ddill...@symantec.com wrote: Hi, I've been working on an internal presentation on how letting Maven's dependency mediation feature select versions of transitive dependencies can introduce vulnerabilities into a product and how to deal with that problem. Unfortunately, it's a very manual process and I was thinking that perhaps changes could be made to Maven that would provide better automation. To that end I'm wondering if the team has ever considered adding a section to the POM that would list significant changes in that release. This would include a list of vulnerabilities fixed (e.g. CVE--) or serious bugs fixed. Each one could include a known set of versions affected (ala how CVEs work today) thus allowing tooling to say: the version of artifact XYZ you're using has a known vulnerability, would you like to upgrade to this new version with that vuln fixed? On a related note, has a different dependency mediation system ever been considered (as an option), e.g. latest version or latest version on a branch? Thanks, David
Need help regarding apache maven
Hi, Please help me to resolve issue I am facing with apache maven. I am trying to implement continuous integration.For which i am using apache maven with build server. I have setup a repository using visual svn server.I've created build using maven now when I try to deploy the build on remote repository I am facing issue. I am getting error code as 409 confilct unable to deploy artifact . I've attached the error logs in the attachment. I've tried to find similar issue in apache mailing list but didn't find any solution. Waiting for your reply and thanks in advance. Regards, Sameer Chandekar Apache Maven 3.0.4 (r1232337; 2012-01-16 20:44:56-1200) Maven home: E:\sameer\kedb\EMBEDDED Java version: 1.7.0_25, vendor: Oracle Corporation Java home: E:\java7.0\jre Default locale: en_US, platform encoding: Cp1252 OS name: windows 8, version: 6.2, arch: x86, family: windows SLF4J: Failed to load class org.slf4j.impl.StaticLoggerBinder. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. [INFO] Error stacktraces are turned on. [DEBUG] Reading global settings from EMBEDDED\conf\settings.xml [DEBUG] Reading user settings from C:\Users\sachin\.m2\settings.xml [DEBUG] Using local repository at C:\Users\sachin\.m2\repository [DEBUG] Using manager EnhancedLocalRepositoryManager with priority 10 for C:\Users\sachin\.m2\repository [INFO] Scanning for projects... [DEBUG] Extension realms for project com.kedb:kedb:jar:0.0.1-SNAPSHOT: (none) [DEBUG] Looking up lifecyle mappings for packaging jar from ClassRealm[plexus.core, parent: null] [DEBUG] === REACTOR BUILD PLAN [DEBUG] Project: com.kedb:kedb:jar:0.0.1-SNAPSHOT [DEBUG] Tasks: [deploy] [DEBUG] Style: Regular [DEBUG] === [INFO] [INFO] [INFO] Building Quick Fix 0.0.1-SNAPSHOT [INFO] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy] [DEBUG] Lifecycle clean - [pre-clean, clean, post-clean] [DEBUG] Lifecycle site - [pre-site, site, post-site, site-deploy] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy] [DEBUG] Lifecycle clean - [pre-clean, clean, post-clean] [DEBUG] Lifecycle site - [pre-site, site, post-site, site-deploy] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy] [DEBUG] Lifecycle clean - [pre-clean, clean, post-clean] [DEBUG] Lifecycle site - [pre-site, site, post-site, site-deploy] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy] [DEBUG] Lifecycle clean - [pre-clean, clean, post-clean] [DEBUG] Lifecycle site - [pre-site, site, post-site, site-deploy] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy] [DEBUG] Lifecycle clean - [pre-clean, clean, post-clean] [DEBUG] Lifecycle site - [pre-site, site, post-site, site-deploy] [DEBUG] Lifecycle default - [validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes,
Re: Need help regarding apache maven
Hi, No idea what is your setup or your Maven distribution but you use a wagon implementation which is not supported here: com.ning.http.client.providers.netty Cheers Olivier On 2 October 2014 04:09, sameer chandekar sameerchandekar2...@gmail.com wrote: Hi, Please help me to resolve issue I am facing with apache maven. I am trying to implement continuous integration.For which i am using apache maven with build server. I have setup a repository using visual svn server.I've created build using maven now when I try to deploy the build on remote repository I am facing issue. I am getting error code as 409 confilct unable to deploy artifact . I've attached the error logs in the attachment. I've tried to find similar issue in apache mailing list but didn't find any solution. Waiting for your reply and thanks in advance. Regards, Sameer Chandekar - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Need help regarding apache maven
Uploading: https://sachin/svn/demo/com/kedb/kedb/0.0.1-SNAPSHOT/kedb-0.0.1-20140929.030730-3.jar Uploading: https://sachin/svn/demo/com/kedb/kedb/0.0.1-SNAPSHOT/kedb-0.0.1-20140929.030730-3.pom Is https://sachin/svn/ your SVN server? You can't get Maven to deploy your artifacts to your SVN server. Or at least if you can, it's not something I would recommend. http://maven.apache.org/wagon/wagon-providers/wagon-scm/usage.html doesn't yet have this documented either. You want to deploy your artifacts into a Maven Repository Manager, see http://maven.apache.org/repository-management.html