Skip to content

CodeLogic Maven Plug-in

The CodeLogic Maven Plug-in provides an easy way to integrate CodeLogic artifact scanning into an existing Maven build process. The plug-in is already included with your CodeLogic Server installation. Follow the steps below to configure and run the plug-in.

High-Level Overview

  1. Create an Agent in CodeLogic
  2. Configure the Plug-in
  3. Run the Plug-in
  4. Integration with Project pom.xml (Optional)
  5. Run the Plug-in with Docker (Optional)
  6. View Scan Results

Create an Agent in CodeLogic

  • From a web browser on your system, log in to the CodeLogic Server.

  • Click Admin and then select the Agents tab.

  • Click Create Agent.
    • The Create Agent window opens.
  • Enter a name for the agent in the Agent Name field.
  • Optionally, enter a description in the Agent Description field.
  • Click Save.
    • A confirmation dialog box is displayed.

    • Important

      Do not click OK or close your browser until you have copied the Agent ID AND Password. There is no way to retrieve this password. You will need to create a new agent and repeat these steps.

Configure the Plug-in

Note

An example of a complete settings-override.xml file is provided here: Example settings-override.xml

  • Open your settings-override.xml file.

  • Add a mirror to your settings-override.xml file in the profiles section.

<profiles>  
<mirror>  
<id>codelogic</id>  
<mirrorOf>codelogic</mirroOf>  
<url>https://localhost/codelogic/server</url>  
</mirror>

Note

The URL is the URL of your CodeLogic Server.

  • Add a properties section.

    The properties section must include:

    • codelogic.url - The URL of your CodeLogic Server.
    • codelogic.oauth.username - The Agent ID from above.
    • codelogic.oauth.password - Thie Password from above. 
<profiles>  
<profile>  
<id>artifactory</id>  
<properties>  
<codelogic.url>http://localhost/codelogic/server</codelogic.url>  
<codelogic.oauth.username>ffffffff-ffff-ffff-ffff-ffffffffffff</codelogic.oauth.username>  
<codelogic.oauth.password>secret-passcode</codelogic.oauth.password>  
</properties>  
...  
</profile>  
</profiles>

Optionally, you may add any of the following configuration properties.

This is the full list of configuration properties, which can be specified globally within the settings.xml file or can be provided as configuration parameters within the plug-in configuration within a pom.xml file. Alternatively, these parameters can be provided directly on the command line while invoking mvn as -DpropertyName=value.

Property Required Default Value Description
codelogic.url true The url of the CodeLogic Server to publish scanned graphs.
codelogic.oauth.username true The username or agentID of the credentials being used.
codelogic.oauth.password true The password to authenticate with the remote server.
codelogic.batchSize false 500 The batchSize for submitting discovered scan data to the server.
codelogic.methodInvokesScanningEnabled false true Determines whether to collect and report method->method INVOKES relationships.
codelogic.methodInvokesScanningPackageIncludeList false A comma separated list of packages to include in method->method invokes relationship reporting.
codelogic.applicationGroups false A comma separated list of application names to associate with scanned artifacts.

  • Add a repository in the repositories section.

    The repository section must include:

<repositories>  
<repository>  
<id>codelogic</id>  
<name>codelogic</name>  
<url>https://localhost/codelogic/server/packages/maven/libs-release</url>  
</repository>

Note

The URL is the URL of the repository.

  • Add a pluginRepository.

    The pluginRepository section must include:

<pluginRepositories>  
<pluginRepository>  
<id>codelogic</id>  
<name>codelogic</name>  
<url>https://localhost/codelogic/server/packages/maven/libs-release</url>  
</pluginRepository>  
</pluginRepositories>

Note

The URL is the URL of the plug-in repository.

  • Save settings-override.xml.
  • If you have not already done so, click OK to close the dialog box in CodeLogic from Create an Agent in CodeLogic.

  • Run the Plug-in

    Note

    The goals can be run from the command line on any Maven project as long as there is a published version of the jcape-maven-plugin available in Maven's configured repositories or locally.

    You can run the commands listed below and specify -pl :sub-project to target a specific sub-project, scan results will be published only for the specified sub-project. If you do not include the parameter, scan results will be published for all artifacts generated across all sub-projects.

    CODELOGIC-DISPLAY

    mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-display
    This goal will locally scan an artifact and display the resulting nodes and relationships in the terminal without publishing them to a remote server.

    CODELOGIC-SCAN

    mvn com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan
    This goal will locally scan an artifact and publish the resulting nodes and relationships to the configured CodeLogic Server.

Integration with Project pom.xml (Optional)

The CodeLogic Plug-in can be directly integrated with your build script. 

    <build>  
    <plugins>  
    <plugin>  
    <groupId>com.codelogic.agent.java</groupId>  
    <artifactId>jcape-maven-plugin</artifactId>  
    <version>21.21.1</version>  
    <executions>  
    </execution>  
    <id>codelogic-scan</id>  
    <phase>install</phase>  
    <goals>  
    <goal>codelogic-scan</goal>  
    </goals>  
    </execution>  
    </executions>  
    <configuration>  
    <codelogic.batchSize>1000</batchSize>  
    <codelogic.methodInvokesScanningEnabled>true</codelogic.methodInvokesScanningEnabled>  
    <codelogic.methodInvokesScanningPackageIncludeList>org.,net.</codelogic.methodInvokesScanningPackageWhitelist>  
    <codelogic.applicationGroups>jCape</codelogic.applicationGroups>  
    </configuration>  
    </plugin>  
    </plugins>  
    </build>

Run the Plug-in with Docker (Optional)

Example Docker File 

    #!/usr/bin/env bash  
    # Run the SCAN  
    docker run --rm\  
    -i -t\  
    --workdir /tmp/app/\  
    --volume ~/.m2/:/tmp/.m2/\  
    --user `id -u`:`id -g`\  
    --volume /path/to/the/archives/you/want/to/scan/:/tmp/app/\  
    -e MAVEN_CONFIG=/tmp/.m2\  
    maven:3.6.3-jdk-11\  
    sh -c 'mvn -s settings-override.xml com.codelogic.agent.java:jcape-maven-plugin:$CODELOGIC_VERSION:codelogic-scan \  
    -Dmaven.repo.local=/tmp/.m2/repository/ -Duser.home=/tmp'

Note

Replace $CODELOGIC_VERSION with the your CodeLogic Server version number. For example if you had version 21.21.1 installed the line would be:

sh -c 'mvn -s settings-override.xml com.codelogic.agent.java:jcape-maven-plugin:21.21.1:codelogic-scan \

View Scan Results

1. Log in to the CodeLogic Server.
2. Select the Explorer tab.
3. Expand the application to view items and their dependencies.