FlexDeploy - Maven Plugin Guide
The Maven plugin provides a means to run Maven operations on a maven project.
Supported Versions
The Maven Plugin ships with Maven version 3.05, the same version bundled with JDeveloper 12c.
Supports the standard Maven Lifecycle Phases
Supports Maven arguments
Supports sourcing a script to set properties before the execution begins.
Key Features
Use existing Maven POMs
Maven is bundled in the plugin, so no need to install Maven on endpoints.
Maven executions return test results back to FlexDeploy for use by Test Definitions.
It also supports PMD analysis and OWASP Dependency-check
Plugin Operations
Configuration
If you need to customize your maven options, you can edit the ~/.m2/settings.xml on the endpoint, just like if you are editing it for a regular maven user. It is important to make the changes on the endpoint, not the FlexDeploy server, and make sure to perform the configuration changes using the same user that FlexDeploy will log in as on the endpoint. You can copy the .m2 folder from another machine if that is easier, or install Maven on the endpoint so that it is created for you and then edit it. This is the easiest way to configure Maven to have settings that apply to all future workflows. The same configuration options can likely be added into the Arguments plugin input, but would need to be entered each time that a new workflow with Maven in it is created.
PMD Configuration
The PMD Plugin allows you to automatically run the PMD code analysis tool on your project's source code and generate a report with its results.
Setting the PMD plugin as follows in your pom.xml <build> section will enable PMD analysis and generate the report. and the PMD plugin is, by default, tied to the verify phase. (Maven verify step runs checks to verify that the project is valid and meets the quality standards.)
By default, the Java programming language is analyzed by PMD for other languages, we must specify. presently it supports Java, JavaScript, and JSP.
We can configure the build to fail if errors are found in the PMD reports by enforcing custom code quality rules.like
<maxAllowedViolations>,<failOnViolation>,<minimumPriority>as part of<configuration>Review scan results in FlexDeploy with links to rules and how to fix them.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.20.0</version>
<configuration>
<!-- failOnViolation is actually true by default, but can be disabled -->
<failOnViolation>false</failOnViolation>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
OWASP-DC Configuration
dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Dependency-check-maven is very simple to utilize and can be used as a stand-alone plug-in. The plug-in requires Maven 3.1 or higher.
Setting the plugin as follows in your pom.xml <build> section will enable Dependency-check analysis and generate the report. The dependency-check plugin is, by default, tied to the verify phase.
We can configure the build to fail if errors are found in the DC reports by enforcing custom code quality rules.like
<failBuildOnAnyVulnerability>,<failBuildOnCVSS>as part of<configuration>Review scan results in FlexDeploy with links to rules and how to fix them.
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.1.2</version>
<configuration>
<failBuildOnAnyVulnerability>false</failBuildOnAnyVulnerability>
<failBuildOnCVSS>8</failBuildOnCVSS>
<formats>JSON,HTML</formats>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
- style