Home
Welcome to the fasten-maven-plugin wiki!
This Maven plugin is generally used in a pom.xml descriptor to indicate the version to use and configure its behavior.
<build>
<plugins>
<plugin>
<groupId>eu.fasten</groupId>
<artifactId>fasten-maven-plugin</artifactId>
<version>0.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<configuration>
<!-- Fail the build if any problem is found in one of the dependencies -->
<failOnRisk>true</failOnRisk>
<risks>
<risk>
<!-- Enable quality metrics based risk analysis -->
<type>fasten.quality</type>
<!-- Don't fail the build if a quality problem is found in one of the dependencies -->
<failOnRisk>false</failOnRisk>
<!-- Ignore reported problems related to specifc callables (false positives, etc.) -->
<ignoredCallables>
<ignoredCallable>.*someMethod.*</ignoredCallable>
...
</ignoredCallables>
<!-- Ignore reported problems related to specific dependencies (false positives, etc.) -->
<ignoredDependencies>
<ignoredDependency>org.mygroupid:myartifactid</ignoredDependency>
<ignoredDependency>org.myothergroupid:.*</ignoredDependency>
...
</ignoredDependencies>
<properties>
...
</properties>
</risk>
<risk>
<!-- Enable license incompatibilities based risk analysis -->
<type>fasten.license</type>
</risk>
<risk>
<!-- Enable security vulnerabilities based risk analysis -->
<type>fasten.security</type>
</risk>
<risk>
<!-- Enable binary compatibility based risk analysis -->
<type>fasten.binary</type>
</risk>
</risks>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
-
failOnRisk: true (the default) to fail the build if any risk is identifier in the dependency tree call graph -
fastenApiUrl: allow defining an alternative FASTEN server, by default https://api.fasten-project.eu/api is used -
outputDirectory: the folder where to store serialized call graphs, the default istarget/call-graphs/ -
metadataBatch: the number of callables metadata to request to the REST API at the same time, the default is100 -
serialize: control if generated call graph should be serialized,trueby default -
risks: used to enable and configure analyzers to execute
The plugin comes with various analyzers.
type: fasten.binary
While the build (and even before that most development tools) will naturally spot binary incompatibilities like using a not exist class or a missing call, it becomes a lot more complex when it involves code of dependencies or transitive dependencies if you don't have a perfect test coverage. This can often happen when you have a lot of dependencies which themselves share transitive dependencies in different versions, or when the project relies on code located in an optional transitive dependency. This analyzer will navigate the call graph to find "broken calls" and report them.
type: fasten.quality
Comparing quality metrics found in the call graph with configured thresholds.
-
complexity: the complexity above which the analyzed callable is a risk -
length: the length above which the analyzed callable is a risk -
nloc: the number of lines of code above which the analyzed callable is a risk -
parameter_count: the number of parameters above which the analyzed callable is a risk -
token_count: the number of tokens above which the analyzed callable is a risk
type: fasten.security
Analyze the call graph to find used methods known to be affected by a security vulnerability.
type: fasten.license
Analyze the call graph to find license incompatibilities (for example, reaching a GPL 3.0 call while the project is licensed under Apache 2.0).
It's possible to contribute your own analyzers, in which case the type will be your class.
There are two requirements:
- implement the
eu.fasten.maven.analyzer.RiskAnalyzerinterface - indicate your complete class name as type, for example
<type>org.myproject.MyRiskAnalyzer</type>
It's possible to ignore callables or entire dependencies in case of false positive using the properties ignoredCallables and ignoredDependencies. They can be set either at the general configuration level to apply to all analyzers or only for a specific analyzer.
