Skip to content

CodeLogic Maven Plug-in

The CodeLogic Maven Plug-in provides an easy way to integrate CodeLogic artifact scanning into an existing Maven build process. The plug-in is already included with your CodeLogic Server installation. Follow the steps below to configure and run the plug-in.

Create an Agent

Obtain AGENT_UUID and AGENT_PASSWORD from your CodeLogic administrator. You will use these values in the Maven plug-in configuration below.

Important

Save the agent password when it is issued. There is no way to retrieve it later.

Configure the Plug-in

Note

An example of a complete settings-override.xml file is provided here: Example settings-override.xml

  • Open your settings-override.xml file.

  • Add a mirror to your settings-override.xml file in the profiles section.

    <profiles>
    <mirror>
        <id>codelogic</id>
        <mirrorOf>codelogic</mirrorOf>
        <url>https://localhost/codelogic/server</url>
    </mirror>
</profiles>

    Note

    The URL is the URL of your CodeLogic Server.

  • Add a properties section.

    The properties section must include:

    • codelogic.url - The URL of your CodeLogic Server.
    • codelogic.oauth.username - The Agent ID from above.

    • codelogic.oauth.password - The Password from above.

      <profiles>
    <profile>
        <id>artifactory</id>
        <properties>
            <codelogic.url>http://localhost/codelogic/server</codelogic.url>
            <codelogic.oauth.username>ffffffff-ffff-ffff-ffff-ffffffffffff</codelogic.oauth.username>
            <codelogic.oauth.password>secret-passcode</codelogic.oauth.password>
        </properties>
    </profile>
</profiles>

Optionally, you may add any of the following configuration properties.

This is the full list of configuration properties, which can be specified globally within the settings.xml file or can be provided as configuration parameters within the plug-in configuration within a pom.xml file. Alternatively, these parameters can be provided directly on the command line while invoking mvn as -DpropertyName=value.

Optionally, you may add any of the following configuration properties.

This is the full list of configuration properties, which can be specified globally within the settings.xml file or can be provided as configuration parameters within the plug-in configuration within a pom.xml file. Alternatively, these parameters can be provided directly on the command line while invoking mvn as -DpropertyName=value.

Property Required Default Value Description
codelogic.url true The url of the CodeLogic Server to publish scanned graphs.
codelogic.oauth.username true The username or agentID of the credentials being used.
codelogic.oauth.password true The password to authenticate with the remote server.
codelogic.batchSize false 500 The batchSize for submitting discovered scan data to the server.
codelogic.methodInvokesScanningEnabled false true Determines whether to collect and report method->method INVOKES relationships.
codelogic.methodInvokesScanningPackageIncludeList false A comma separated list of packages to include in method->method invokes relationship reporting.
codelogic.applicationGroups false A comma separated list of application names to associate with scanned artifacts.

  • Add a repository in the repositories section.

    The repository section must include:

    <repositories>
    <repository>
        <id>codelogic</id>
        <name>codelogic</name>
        <url>https://localhost/codelogic/server/packages/maven/libs-release</url>
    </repository>
</repositories>

    Note

    The URL is the URL of the repository.

  • Add a pluginRepository.

    The pluginRepository section must include:

    <pluginRepositories>
    <pluginRepository>
        <id>codelogic</id>
        <name>codelogic</name>
        <url>https://localhost/codelogic/server/packages/maven/libs-release</url>
    </pluginRepository>
</pluginRepositories>

    Note

    The URL is the URL of the plug-in repository.

  • Save settings-override.xml.

Run the Plug-in

Note

The goals can be run from the command line on any Maven project as long as there is a published version of the jcape-maven-plugin available in Maven's configured repositories or locally.

You can run the commands listed below and specify -pl :sub-project to target a specific sub-project, scan results will be published only for the specified sub-project. If you do not include the parameter, scan results will be published for all artifacts generated across all sub-projects.

CODELOGIC-DISPLAY

mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-display

This goal will locally scan an artifact and display the resulting nodes and relationships in the terminal without publishing them to a remote server.

CODELOGIC-SCAN

mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan

This goal will locally scan an artifact and publish the resulting nodes and relationships to the configured CodeLogic Server.

Integration with Project pom.xml (Optional)

The CodeLogic Plug-in can be directly integrated with your build script in a pom.xml file.

<build>
    <plugins>
        <plugin>
            <groupId>com.codelogic.agent.java</groupId>
            <artifactId>jcape-maven-plugin</artifactId>
            <version>21.21.1</version>
            <executions>
                <execution>
                    <id>codelogic-scan</id>
                    <phase>install</phase>
                    <goals>
                        <goal>codelogic-scan</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <codelogic.batchSize>1000</codelogic.batchSize>
                <codelogic.methodInvokesScanningEnabled>true</codelogic.methodInvokesScanningEnabled>
                <codelogic.methodInvokesScanningPackageIncludeList>org.,net.</codelogic.methodInvokesScanningPackageIncludeList>
                <codelogic.applicationGroups>jCape</codelogic.applicationGroups>
            </configuration>
        </plugin>
    </plugins>
</build>

Run the Plug-in with Docker (Optional)

Example command:

docker run --rm                                                   \
    -i -t                                                         \
    --workdir /tmp/app/                                           \
    --volume ~/.m2/:/tmp/.m2/                                     \
    --user `id -u`:`id -g`                                        \
    --volume /path/to/the/archives/you/want/to/scan/:/tmp/app/    \
    -e MAVEN_CONFIG=/tmp/.m2                                      \
    maven:3.6.3-jdk-11                                            \
    sh -c 'mvn -s settings-override.xml com.codelogic.agent       \
        java:jcape-maven-plugin:$CODELOGIC_VERSION:codelogic-scan \
        -Dmaven.repo.local=/tmp/.m2/repository/ -Duser.home=/tmp'

Note

Replace $CODELOGIC_VERSION with your CodeLogic Server version number (for example, 21.21.1). The line would be:

sh -c 'mvn -s settings-override.xml com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan'

Scan results are sent to the CodeLogic server for processing.