Skip to content

CodeLogic Maven Plug-in

The CodeLogic Maven Plug-in provides an easy way to integrate CodeLogic artifact scanning into an existing Maven build process. The plug-in is already included with your CodeLogic Server installation. Follow the steps below to configure and run the plug-in.

  1. Create an Agent in CodeLogic
  2. Configure the Plug-in
  3. Run the Plug-in
  4. Integration with Project pom.xml (Optional)
  5. Run the Plug-in with Docker (Optional)
  6. View Scan Results

Create an Agent in CodeLogic

  • Click Admin and then select the Agents tab.
  • Click Create Agent.
    • The Create Agent window opens.
  • Enter a name for the agent in the Agent Name field.
  • Optionally, enter a description in the Agent Description field.
  • Click Save.
    • A confirmation dialog box is displayed.

    • Important

      Do not click OK or close your browser until you have copied the Agent ID AND Password. There is no way to retrieve this password.

Configure the Plug-in

Note

An example of a complete settings-override.xml file is provided here: Example settings-override.xml

  • Open your settings-override.xml file.

  • Add a mirror to your settings-override.xml file in the profiles section.

<profiles>
    <mirror>
        <id>codelogic</id>
        <mirrorOf>codelogic</mirroOf>
        <url>https://localhost/codelogic/server</url>
    </mirror>
</profiles>

Note

The URL is the URL of your CodeLogic Server.

  • Add a properties section.

    The properties section must include:

    • codelogic.url - The URL of your CodeLogic Server.
    • codelogic.oauth.username - The Agent ID from above.
    • codelogic.oauth.password - The Password from above. 
<profiles>  
    <profile>  
        <id>artifactory</id>  
        <properties>  
            <codelogic.url>http://localhost/codelogic/server</codelogic.url>  
            <codelogic.oauth.username>ffffffff-ffff-ffff-ffff-ffffffffffff</codelogic.oauth.username>  
            <codelogic.oauth.password>secret-passcode</codelogic.oauth.password>\
        </properties>
    </profile>  
</profiles>

Optionally, you may add any of the following configuration properties.

This is the full list of configuration properties, which can be specified globally within the settings.xml file or can be provided as configuration parameters within the plug-in configuration within a pom.xml file. Alternatively, these parameters can be provided directly on the command line while invoking mvn as -DpropertyName=value.

Property Required Default Value Description
codelogic.url true The url of the CodeLogic Server to publish scanned graphs.
codelogic.oauth.username true The username or agentID of the credentials being used.
codelogic.oauth.password true The password to authenticate with the remote server.
codelogic.batchSize false 500 The batchSize for submitting discovered scan data to the server.
codelogic.methodInvokesScanningEnabled false true Determines whether to collect and report method->method INVOKES relationships.
codelogic.methodInvokesScanningPackageIncludeList false A comma separated list of packages to include in method->method invokes relationship reporting.
codelogic.applicationGroups false A comma separated list of application names to associate with scanned artifacts.

  • Add a repository in the repositories section.

    The repository section must include:

<repositories>
    <repository>
        <id>codelogic</id>
        <name>codelogic</name>
        <url>https://localhost/codelogic/server/packages/maven/libs-release</url>
    </repository>
</repositories>

Note

The URL is the URL of the repository.

  • Add a pluginRepository.

    The pluginRepository section must include: 

    <pluginRepositories>  
    <pluginRepository>  
        <id>codelogic</id>  
        <name>codelogic</name>  
        <url>https://localhost/codelogic/server/packages/maven/libs-release</url>  
    </pluginRepository>  
</pluginRepositories>

    Note

    The URL is the URL of the plug-in repository.

  • Save settings-override.xml.

  • If you have not already done so, click OK to close the dialog box in CodeLogic from Create an Agent in CodeLogic.

Run the Plug-in

/// note | Note
The goals can be run from the command line on any Maven project as long as there is a published version of the jcape-maven-plugin available in Maven's configured repositories or locally.
///

You can run the commands listed below and specify `-pl :sub-project` to target a specific sub-project, scan results will be published only for the specified sub-project. If you do not include the parameter, scan results will be published for all artifacts generated across all sub-projects.

*CODELOGIC-DISPLAY*

```console
mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-display
```
This goal will locally scan an artifact and display the resulting nodes and relationships in the terminal without publishing them to a remote server.

*CODELOGIC-SCAN*

```console
mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan
```
This goal will locally scan an artifact and publish the resulting nodes and relationships to the configured CodeLogic Server.

Integration with Project pom.xml (Optional)

The CodeLogic Plug-in can be directly integrated with your build script. 

<build>
    <plugins>
        <plugin>
            <groupId>com.codelogic.agent.java</groupId>
            <artifactId>jcape-maven-plugin</artifactId>
            <version>21.21.1</version>
            <executions>
                <execution>
                    <id>codelogic-scan</id>
                    <phase>install</phase>
                    <goals>
                        <goal>codelogic-scan</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <codelogic.batchSize>1000</batchSize>
                <codelogic.methodInvokesScanningEnabled>true</codelogic.methodInvokesScanningEnabled>
                <codelogic.methodInvokesScanningPackageIncludeList>org.,net.</codelogic.methodInvokesScanningPackageWhitelist>
                <codelogic.applicationGroups>jCape</codelogic.applicationGroups>
            </configuration>
        </plugin>
    </plugins>
</build>

Run the Plug-in with Docker (Optional)

Example command: 

docker run --rm \
    -i -t \
    --workdir /tmp/app/ \
    --volume ~/.m2/:/tmp/.m2/ \
    --user `id -u`:`id -g` \
    --volume /path/to/the/archives/you/want/to/scan/:/tmp/app/ \
    -e MAVEN_CONFIG=/tmp/.m2 \
    maven:3.6.3-jdk-11 \
    sh -c 'mvn -s settings-override.xml com.codelogic.agent \
        java:jcape-maven-plugin:$CODELOGIC_VERSION:codelogic-scan \
        -Dmaven.repo.local=/tmp/.m2/repository/ -Duser.home=/tmp'

Note

Replace $CODELOGIC_VERSION with your CodeLogic Server version number. For example if you had version 21.21.1 installed the line would be:

sh -c 'mvn -s settings-override.xml com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan \

View Scan Results

1. Log in to the CodeLogic Server.
2. Select the Search tab.
3. Expand the application to view items and their dependencies.