Skip to content

Home

Jump to bottom
Thomas Mortagne edited this page Mar 8, 2021 · 5 revisions

Welcome to the fasten-maven-plugin wiki!

Maven configuration

This Maven plugin is generally used in a pom.xml descriptor to indicate the version to use and configure its behavior.

  <build>
    <plugins>
      <plugin>
        <groupId>eu.fasten</groupId>
        <artifactId>fasten-maven-plugin</artifactId>
        <version>1.0</version>
        <executions>
          <execution>
            <goals>
              <goal>check</goal>
            </goals>
            <configuration>
              <!-- Fail the build if any problem is found in one of the dependencies -->
              <failOnRisk>true</failOnRisk>

              <risks>
                <risk>
                  <!-- Enable quality metrics based risk analysis -->
                  <type>fasten.quality</type>

                  <!-- Don't fail the build if a quality problem is found in one of the dependencies -->
                  <failOnRisk>false</failOnRisk>

                  <!-- Ignore some of the reported problems (false positives, etc.) -->
                  <ignoredCallables>
                    <ignoredCallable>*someMethod*</ignoredCallable>
                    ...
                  </ignoredCallables>

                  <properties>
                    ...
                  </properties>
                </risk>
                <risk>
                  <!-- Enable license incompatibilities based risk analysis -->
                  <type>fasten.license</type>
                </risk>
                <risk>
                  <!-- Enable security vulnerabilities based risk analysis -->
                  <type>fasten.security</type>
                </risk>
                <risk>
                  <!-- Enable binary compatibility based risk analysis -->
                  <type>fasten.binary</type>
                </risk>
              </risks>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

Analyzers

The plugin provides the following analyzers.

Binary compatibility

While the build (and even before that most development tools) will naturally spot binary incompatibilities like using a not exist class or a missing call it become a lot more complex when it involves code of dependencies or transitive dependencies if you don't have a perfect test coverage. This can often happen when you have a lot of dependencies which themselves share transitive dependencies in different versions or when the project relies on code located in an optional transitive dependency. This analyzer will navigate the call graph to find "broken calls" and report them.

TODO

Quality metrics

Make sure all project's dependencies follow configured quality rules.

TODO

Security vulnerabilities

Analyze the call graph to find used methods known to be affected by a security vulnerability.

TODO

License compatibility

Analyze the call graph to find license incompatibilities (for example reaching a GPL 3.0 call while the project is licensed under Apache 2.0).

TODO

Custom analyzer

It's possible to contribute your own analyzers in which case the type will be your class.

TODO

Clone this wiki locally