Tag Archives: Maven

Use Maven to Find Security Vulnerabilities and Viral Licenses in Applications


October 10, 2012 By Bentmann Benjamin

A few months ago, we launched Insight Application Health Check. Today, I’d like to announce another way to get started tracking licensing and security issues. In this post, I’m going to show you how to scan your project with nothing more than Maven and an existing project. You can get started with Insight without having to download a client or server. All you’ll need to do is run a simple plugin from the commandline.

To enable users to scan their applications, we provide an executable JAR with a graphical user interface. With this interface users are a few clicks away from results. But, even with this GUI, some users want to be able to use Insight’s Application Health Check from the command-line because sometimes “clicking” isn’t the most effective way to get something done. If you’re building your application using Apache Maven, you probably already have a terminal window open to invoke its build phases. So, while you’re in there, adding or updating some dependencies in your POM and repackaging your application, why not check whether this dependency update introduced some security vulnerability or license issue, especially if it’s as easy as adding another goal to your command line? Meet the Application Health Check Maven Plugin:

mvn package com.sonatype.insight:ahc:run -D ahc.email=my.name@mycompany.com

Continue reading

Download it All at Once: A Maven Idea


August 28, 2012 By Tim O'Brien

Consider, for a moment, your big corporate project that you work with every day. I know. It’s huge. I see several of these projects on a constant basis. Maybe you have one big project with multi-modules. Maybe you have a more mature approach that splits up a very large project into several multi-module projects. Whatever it is, there’s a chance that you also work in the kind of environment that has a huge build with hundreds of dependencies that spans tens of thousands of lines of code. Your build spends most of the day juggling dependencies, both internal and external

…and, the build takes forever the first time you run it. Correction, the build takes forever every time you run it because it is just that big, and because you have the sort of environment that demands you always check for snapshot updates. Welcome to the reality of using Maven on a very large-scale project.

Continue reading

Best Strategy for Migrating from Apache Ant to Apache Maven


August 9, 2012 By Tim O'Brien

Whenever I teach a Maven training class someone invariably asks me to give some advice for migrating a large, complex Ant project to Maven. Toward the end of the class, I’ll take questions:

Participant: “Could you give us some guidance for migrating Ant projects to Maven? Is there a process that you recommend to make it easier.”

My (honest) answer: “If it’s a complex project, it won’t be an easy battle. Before you go down this road you need to understand what you are signing up for. It can be very complex, you may end up interrupting an active development cycle, and once you evaluate all of your options you might find it easier to first migrate to a repository manager. Maven’s not the big win, moving a repository is.”

In other words, I often find myself trying to discourage swapping build tools just for the sake of swapping build tools. While I do believe that Maven is preferable to Ant, I think that the build space often suffers from a belief that the grass really is greener on the other side. It might be, but is it greener enough to justify that work stoppage that is involved in taking a big important project and moving it to a different build technology? Often the answer is no. If it isn’t related to making money, switching a build system is often the last thing an enterprise wants to do.

In this post I’m going to talk about the process of migrating build tools starts with a repository manager.

Continue reading

Ken Rimple Interviews Brian Fox: Maven 3, Running Central, and Nexus


March 22, 2012 By Tim O'Brien

Brian Fox sat down with Ken Rimple of Chariot Solutions to talk about Nexus and to put repository management in the context of recent developments with Maven. Ken Rimple and Chariot have been long-term partners with Sonatype supporting our Maven training efforts, so Ken has a lot of background about Maven to ask some interesting questions.

Listen to Chariot TechCast, Episode #71, Brian Fox of Sonatype on Nexus 2

The Legacy of Maven: Binary Reusability

The interview leads off with a discussion about Maven, Maven’s history, and some of the recent developments surrounding the Maven ecosystem. Brian identifies binary reusability and declarative builds as the two important legacies of Maven:

“One of the unique things that Maven brought to the table, and what may in fact be the legacy for Maven years down the road, is that it introduced the concept of having binary reusability and not rebuilding the world as everybody was used to doing. The other aspect was making things more of a declarative model especially the dependencies. That was all unique at the time.”

What it takes to Run Central?

Ken and Brian discuss the introduction and development of Central from the beginning of the repository to the current iteration. From the initial efforts to create a single coordinate system for artifacts in 2001 and 2002. Brian’s very involved in the effort to maintain Central so this is your chance to hear Brian discuss some of the internals of the effort: how much bandwidth does Central consume? how much effort is involved in maintaining Central? and what are the day-to-day operations for running Central?

Key quotes about Central: “We’re approaching half a Terabyte for artifact storage” and “We’re seeing 50 to 60 new projects added every day”.

You will hear about how Nexus is used to enforce standards for artifacts added to Central from forges like Apache, JBoss, java.net, Codehaus, as well as the instance of Nexus that Sonatype provides for independent projects: http://oss.sonatype.org.

New Features in Nexus 2.0

Brian then discusses the important features we’re introducing with Nexus 2.0. Including support for .NET, the Repository Health Check, and our support for distributed proxies.

Again, if you haven’t listened to it, you should. Go over to Chariot Solutions and listen to Chariot Techcast Episode #71 – better yet, why don’t you just open up iTunes and subscribe to Chariot’s podcast? here.

What do cartoons have to do with build systems?


February 23, 2012 By Tim O'Brien

You know who this guy is? Probably not, he’s Rube Goldberg.

I’m surprised by how few engineers know his work. Rube Goldberg was a cartoonist who lived from 1883-1970, he’s famous for drawing cartoons of ridiculous and inconceivably complex machines. His work was important during a time in which the world was becoming increasingly mechanized and automated providing a sort of cultural “steam vent” – a way for people to poke fun at machines and industry. I’d embed his work here, but none of it is public domain, so see for yourself or search Google Images. (Be warned, you can spend hours looking at these cartoons.)

I learned about Rube Goldberg from an Engineering professor who, at the time, said, “Rube Goldberg is the most important thing you’ll learn over the next four years”. Back then, we all thought he was joking, but it turns out that he wasn’t. In fact, I wish more people, especially “build engineers” had some exposure to these cartoons. If they had, they’d take a step back and realize that there has to be a better way.

Continue reading