I'm trying to setup a sonar scan for a project. This projects uses a free framework (Apache OFBiz) which is a multi language framework (java, JavaScript, xml, groovy, freemarker)
It is also a multi module projects with several subprojects.
I used the gradle sonar task with a local setup and sonarqube.
// build.gradle
sonar {
properties {
property "sonar.exclusions", "**/bin/**, **/org/apache/**"
property "sonar.test.exclusions", "**/src/test/**"
property "sonar.scm.disabled", true
}
}
subprojects {
apply plugin: 'org.sonarqube'
sonar {
skipProject = false
properties {
property "sonar.inclusions", "**/src/**"
}
}
}
Sonaqube gradle plugin is used in the version 3.5.0.2730 and i have the groovy plugin locally installed and running.
Sonarqube locally is version 9.7
So far, I've managed to run a Java scan that suits me in terms of coverage (ignore standard framework and scan client specific java code).
There is also some groovy analysis, but only in the compiled code.
What I would like to do is the following:
I would like to know if it is possible to scan non-compiled groovy code (that uses domain specific syntax)
I couldn't find any topic relevant to that question
I would like to know if it is possible to scan all the languages in the project, and if so, what would be the best way to do it? In a single run? one run per language?
I managed to find some topics, but nothing that is less than one or two years old.
Related
Currently I'm involved in a project for implementing security code reviews for Workfusion bots. Workfusion can handle a mix of Java and Groovy code embedded in XML files or standalone code.
My team is trying to assess if it's possible to use any free/opensource Static Application Security Tool for it. I'm currently exploring the posiblity of creating a plugin for Spotbugs.
I was able to run reviews successfully with Java code + Maven with Spotbugs and FindSecBugs plugins, but I haven't figured out how to extend Spotbugs in order to parse the XML files, extract the embedded Groovy scripts and analyze them.
Do you know any static application security tool for Workfusion or could suggest any approach to extend any other SAST tool?
The main requirement for Find Security Bugs to work is the ability to compile the code.
If you have access to the class files, FindSecurityBugs should work. If the code is evaluate at runtime, you'll need to compile the snippet which is not an easy task if the script have access to a special context with initialized objects.
I have inherited a Java / Maven / Cucumber project. I am fairly new to Cucumber.
Inside one of the folder I have a class like this...
import com.intuit.karate.junit4.Karate;
import org.junit.runner.RunWith;
#RunWith(Karate.class)
public class RoadsRunner {
}
Then in the same subdirectory / package I have a .feature file.
with a number of scenario's.
Feature: Check transaction
Background:
* url apiHost + '/api/v1'
* configure headers = {'X-TransactionID': '#(Math.random().toString())' }
Scenario: Get Classes
# get classes
Given path '/myUrl/classes'
And param processName = 'myProcess'
When method get
Then status 200
Question One.
I am using Eclipse. Is there a way I can debug through the test in a similar way that I would debug a Java app?
I have downloaded myself the Cucumber Eclipse plugin but can't quite figure out how to use it.
Question Two.
Without using a custom plugin to debug is there anything I can add to the scenarios to maybe print extra debug information.
thanks
The Cucumber Eclipse plugin gives you 2 things:
IDE syntax coloring / formatting support
Being able to right-click and run a Feature directly without the JUnit "runner"
Karate is Java behind the scenes so you can debug and set break-points, but it may not be as seamless as you expect. In 0.6.0 you have the option of placing a conditional break-point in Karate code that runs before / after each test step - see screen-shot.
So as you rightly called out, printing to the log might be the most effective way to work through complicated test scripts. Please refer to the print keyword - which is exactly what you are looking for.
2 more points:
the optional HTML report includes all HTTP request / response logs - which is great for troubleshooting a test.
I would love for the Karate UI (currently in alpha) to become stable sooner and be the best option for debugging, please do submit feedback and contribute if you can.
EDIT: we now have the Visual Studio Code IDE support with first-class debug support: https://github.com/intuit/karate/wiki/IDE-Support#vs-code-karate-plugin
EDIt2: If you want to debug Java code, that is possible with the new IntelliJ plugin: https://plugins.jetbrains.com/plugin/19232-karate
As per the documentation here, At this moment best way to debug Karate Steps is using Visual Studio Code for developing tests and VS Code Karate Plugin for debugging.
Visual Studio Code is Free, built on open Source and runs on all platforms including mac/linux and windows.
Please note this
The Karate UI has been retired and is not available in 0.9.5 onwards !
Use the VS Code Debug Support instead.
As per the comment by Peter Thomas, Eclipse/IntelliJ may also support debugging but I am unable to find any development there.
I am looking to add Groovy support to an existing java project so that I can seemlessly compile mixed Java and Groovy code using invokedynamic so that I can get Java-like execution speed without needing to waste excessive amounts of time with verbose Java syntax
After reading that the gmaven plugin no longer supports compilation -and that the groovy eclipse compiler plugin doesn't yet support invokedynamic, I asked myself, why would I want to continue using Maven if it compiles Groovy code that is needlessly slow?
Consequently, I decided I would try scrapping maven for Gradle so that I could obtain faster code while also porting some python deployment scripts to Gradle tasks so as to only need one codebase.
I have some libraries stored on a simple password protected s3 maven repository (in order to avoid needing enterprise overkill like artifactory). After doing some basic research, I have found that Gradle has no built in support for adding in custom dependency management as determined by this stack overlow question and this support forums post.
I did manage to find a s3 plugin for gradle -but it doesn't deal with management of dependencies.
If the whole point of Gradle is to be more flexible than Maven and if the core purpose of a dependency management/ build system is to effectively manage dependencies from a variety of sources-then lack of support for custom repositories appears to be a fairly significant significant design flaw which makes any issues I have encounted with Maven thus far pale in comparison.
However, it is quite possible that I am missing something, and I have already invested several hours learning Gradle -so I figured I would see if there is some reasonable way to emulate dependency management for these s3 dependencies until Gradle developers fix this critical issue. Otherwise I will have to conclude that I am better off just using Maven and tolerating slower Groovy code until the compiler plugin supports invokedynamic.
Basically I need a solution that does the following:
Downloads dependencies and transitive dependencies to the gradle cache
Doesn't require me to hardcode the path to the gradle cache -so that my build script is platform independent.
Doesn't download the dependencies again if they are already in the cache.
Works with a multi-module project.
However, I cannot find anything in the documentation that would even give me a clue as to where to begin:
Gradle 2.4 has native support for S3 repositories. Both downloading dependencies and publishing artifacts.
To download with IAM credentials (paraphrased from the link above):
repositories {
maven {
url "s3://someS3Bucket/path/to/repo/root"
credentials(AwsCredentials) {
accessKey 'access key'
secretKey 'secret key'
}
}
}
Then specify your dependencies as usual.
You don't need any custom repository support to make this work. Just declare a maven repository with the correct URL. If the repository works when used from Maven, it will also work with Gradle. (Uploading may be a different matter.)
You can use S3 and http
repositories {
mavenCentral()
ivy {
url "https://s3-eu-west-1.amazonaws.com/my-bucket"
layout "pattern", {
artifact "[artifact]-[revision].[ext]"
m2compatible = true
}
}
}
Name the jar in S3 to name-rev.jar (joda-time-3.2.jar) in my-bucket.
Also upload a pom file.
And in S3 give all permission to Download the jar and pom.
I want to package a Groovy CLI application in a form that's easy to distribute, similar to what Java does with JARs. I haven't been able to find anything that seems to be able to do this. I've found a couple of things like this that are intended for one-off scripts, but nothing that can compile an entire Groovy application made up of a lot of separate Groovy files and resource data.
I don't necessarily need to have the Groovy standalone executable be a part of it (though that would be nice), and this is not a library intended to be used by other JVM languages. All I want is a simply packaged version of my application.
EDIT:
Based on the couple of responses I got, I don't think I was being clear enough on my goal. What I'm looking for is basically a archive format that Groovy can support. The goal here is to make this easier to distribute. Right now, the best way is to ZIP it up, have the user unzip it, and then modify a batch/shell file to start it. I was hoping to find a way to make this more like an executable JAR file, where the user just has to run a single file.
I know that Groovy compiles down to JVM-compatible byte-code, but I'm not trying to get this to run as Java code. I'm doing some dynamic addition of Groovy classes at runtime based on the user's configuration and Java won't be able to handle that. As I said in the original post, having the Groovy executable is included in the archive is kind of a nice-to-have. However, I do actually need Groovy to be executable that runs, not Java.
The Gradle Cookbook shows how to make a "fat jar" from a groovy project: http://wiki.gradle.org/display/GRADLE/Cookbook#Cookbook-Creatingafatjar
This bundles up all the dependencies, including groovy. The resulting jar file can be run on the command line like:
java -jar myapp.jar
I've had a lot of success using a combination of the eclipse Fat Jar plugin and Yet Another Java Service Wrapper.
Essentially this becomes a 'Java' problem not a groovy problem. Fat Jar is painless to use. It might take you a couple of tries to get your single jar right, but once all the dependencies are flattened into a single jar you are now off an running it at the command line with
java -jar application.jar
I then wrap these jars as a service. I often develop standalone groovy based services that perform some task. I set it up as a service on Windows server using Yet Another Java Service and schedule it using various techniques to interact with Windows services.
I was wondering if there is like a persistence layer for groovy that is integrated on the ide to generate code automatically based on your database structure?
Just use Hibernate, as you would for a Java project.
Groovy can call java, and you can use the cross-compiler to compile both sources when you build your project.
The Hibernate tools will not spit out Java (so the code will be more verbose than the Groovy replacements), but as you won't need to write the code, this doesn't matter ;-)