CAST HIGHLIGHT - SCA - How to scan Maven-based applications for SCA Insights in a build environment?

Follow

This article explains about scanning Maven-based applications (–mavenRepository) for SCA Insights in a CI pipeline build environment 

 

Details

If operation is performed in the build environment 
 
You may directly add –mavenRepository <path_to_m2_folder> to indicate the local maven repository location and ensure build as already been done.
 
Otherwise, you’ll have to install Maven on your machine and have access to maven external repositories required for your application. For this follow the below steps

  1. Download and install Maven (https://maven.apache.org/install.html)

  2. From the source folder where the root pom.xml is, run the following Maven command which will calculate the exact dependencies and versions of the project: 

    $> mvn clean install
$> mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:tree

  3. Ensure that maven m2 repository is available and can be read.

    Windows : default configuration is to have repository in C:\Users\<username>\.m2. Check the visibility status (hidden option in windows explorer).

    Linux/Mac: Check owner and write permission on directory, should at least be “read”.

  4. Scan the source folder with the Command Line with –mavenRepository <path_to_m2_folder>, optionally with the option –includeAllDependencies if you want to get the whole dependency tree 

    Example

    $> java -jar HighlightAutomation.jar --sourceDir "C:\source" --workingDir "C\source\hlresults" --mavenRepository "C:\Users\<username>\.m2" --ignoreDirectories "node

 

NB:

  • If your application also uses NPM for JavaScript dependency management, we recommend adding the option –ignoreDirectories “node_modules” to exclude third-party physical libraries from the results and to get cleaner Software Composition results. To ensure that option is correctly working check the data in framework.validated.csv, with the option activated more components should be reported with versions defined.
  • In a Continuous Integration (CI) pipeline a CI build job is an automated task  to  compile the code, resolve dependencies, run pre-build checks,   package the application, fail fast if issues are found etc.
  • The .m2 directory is a local repository used by Apache Maven, for Java projects, to cache dependencies (JARs, POMs) downloaded from remote repositories, to avoid downloading the same dependencies repeatedly, to speed up builds. It also contains settings files for user-specific configuration such as Proxy settings, Repository mirrors, authentication credentials and build profiles

.m2 is a hidden folder typically located in the home directory: 

On Linux/macOS: ~/.m2 

On Windows: C:\Users\<YourUsername>\.m2

 

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

 

Ticket

52661, 55885

 

 

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk