Compiling plugin-maven files take forever
nasifimtiazohi opened this issue · comments
I am trying to build this project with the single command mvn clean install -P gradle -DSkipTests. However, after the compilation of most modules, compilation get stuck for the plugin-maven module. I have tried building both the current master branch and release 3.1.6 with the same outcome. Below is the console output where the compilation gets stuck (along with an increased fan speed noise of my laptop):
[INFO] ------------< com.sap.research.security.vulas:plugin-maven >------------
[INFO] Building Plugin for Maven 3.1.7-SNAPSHOT [14/19]
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ plugin-maven ---
[INFO] Deleting /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target
[INFO]
[INFO] --- versions-maven-plugin:2.7:display-dependency-updates (check-version) @ plugin-maven ---
[INFO] The following dependencies in Dependencies have newer versions:
[INFO] junit:junit ........................................ 4.12 -> 4.13-rc-2
[INFO] org.apache.maven:maven-compat ......................... 3.6.1 -> 3.6.3
[INFO] org.apache.maven:maven-core ........................... 3.6.1 -> 3.6.3
[INFO] org.apache.maven:maven-plugin-api ..................... 3.6.1 -> 3.6.3
[INFO] org.codehaus.plexus:plexus-utils ...................... 3.2.1 -> 3.3.0
[INFO]
[INFO] The following dependencies in pluginManagement of plugins have newer versions:
[INFO] org.apache.maven.wagon:wagon-file ..................... 3.3.3 -> 3.3.4
[INFO]
[INFO] The following dependencies in Plugin Dependencies have newer versions:
[INFO] org.apache.maven.wagon:wagon-file ..................... 3.3.3 -> 3.3.4
[INFO]
[INFO]
[INFO] --- versions-maven-plugin:2.7:display-property-updates (check-version) @ plugin-maven ---
[INFO]
[INFO] This project does not have any properties associated with versions.
[INFO]
[INFO]
[INFO] --- buildnumber-maven-plugin:1.4:create (default) @ plugin-maven ---
[INFO] Executing: /bin/sh -c cd '/Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven' && 'git' 'rev-parse' '--verify' 'HEAD'
[INFO] Working directory: /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven
[INFO] Storing buildNumber: 5d4ee4bedd228f67bd800dc41e7709507646e9d9 at timestamp: 1575849991620
[INFO] Storing buildScmBranch: master
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.4:prepare-agent (default-prepare-agent) @ plugin-maven ---
[INFO] argLine set to -javaagent:/Users/nasifimtiaz/.m2/repository/org/jacoco/org.jacoco.agent/0.8.4/org.jacoco.agent-0.8.4-runtime.jar=destfile=/Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/jacoco.exec,excludes=**/antlr/Java*.*
[INFO]
[INFO] --- maven-plugin-plugin:3.5.2:helpmojo (help-goal) @ plugin-maven ---
[WARNING]
Goal prefix is specified as: 'vulas'. Maven currently expects it to be ''.
[INFO] Using 'UTF-8' encoding to read mojo source files.
[INFO] java-javadoc mojo extractor found 0 mojo descriptor.
[INFO] java-annotations mojo extractor found 0 mojo descriptor.
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ plugin-maven ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1 resource
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ plugin-maven ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 12 source files to /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/classes
My machine is Mac OS X 10.14.6. I have 8 CPU Cores and 16 GB RAM on my machine. In eclipse, I have set up the heap space to be 8GB (I tried to mvn install from the terminal but faced the same outcome).
What could be the possible reasons behind this and how can I troubleshoot?
[Note that I have also posted this question on Stack Overflow with the vulas tag.]
Also as a sidenote, I am getting these warnings when I am trying to build this project:
[WARNING]
[WARNING] Some problems were encountered while building the effective model for com.sap.research.security.vulas:rest-lib-utils:jar:3.1.7-SNAPSHOT
[WARNING] 'dependencies.dependency.systemPath' for com.sun:tools:jar refers to a non-existing file /Library/Java/JavaVirtualMachines/openjdk-11.0.1.jdk/Contents/Home/../lib/tools.jar. Please verify that you run Maven using a JDK and not just a JRE. @ line 200, column 16
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
Both my eclipse environment and maven command in the terminal points to JDK (which can be seen from the message itself).
I am not sure what's causing this problem!
I tried to only install the maven plugin with debugging enabled with this commad: mvn install -pl plugin-maven -am -e -X -DskipTests
I am pasting some output when the compilation gets stuck
[INFO] Changes detected - recompiling the module!
[DEBUG] Classpath:
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/classes
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/lang/target/lang-3.1.7-SNAPSHOT.jar
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/shared/target/shared-3.1.7-SNAPSHOT.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.10/jackson-core-2.9.10.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.1/jackson-databind-2.9.10.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.10/jackson-annotations-2.9.10.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-configuration/commons-configuration/1.10/commons-configuration-1.10.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/httpcomponents/httpcore/4.4.12/httpcore-4.4.12.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/javassist/javassist/3.25.0-GA/javassist-3.25.0-GA.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/antlr/antlr4-runtime/4.7.2/antlr4-runtime-4.7.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-lang/commons-lang/2.4/commons-lang-2.4.jar
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java-reach/target/lang-java-reach-3.1.7-SNAPSHOT.jar
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java/target/lang-java-3.1.7-SNAPSHOT.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.core/1.4.3/com.ibm.wala.core-1.4.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.util/1.4.3/com.ibm.wala.util-1.4.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.shrike/1.4.3/com.ibm.wala.shrike-1.4.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/guava/guava/27.1-jre/guava-27.1-jre.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/checkerframework/checker-qual/2.5.2/checker-qual-2.5.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.17/animal-sniffer-annotations-1.17.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-core/3.6.1/maven-core-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-model/3.5.4/maven-model-3.5.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-settings/3.6.1/maven-settings-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-settings-builder/3.6.1/maven-settings-builder-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-builder-support/3.6.1/maven-builder-support-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-repository-metadata/3.6.1/maven-repository-metadata-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-artifact/3.6.1/maven-artifact-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-model-builder/3.6.1/maven-model-builder-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-resolver-provider/3.6.1/maven-resolver-provider-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-impl/1.3.3/maven-resolver-impl-1.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-api/1.3.3/maven-resolver-api-1.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-spi/1.3.3/maven-resolver-spi-1.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-util/1.3.3/maven-resolver-util-1.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.3/org.eclipse.sisu.plexus-0.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.3/org.eclipse.sisu.inject-0.3.3.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/inject/guice/4.2.1/guice-4.2.1-no_aop.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.7.1/plexus-component-annotations-1.7.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-plugin-api/3.6.1/maven-plugin-api-3.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/maven/plugin-tools/maven-plugin-annotations/3.6.0/maven-plugin-annotations-3.6.0.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-utils/3.2.1/plexus-utils-3.2.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/ant/ant/1.10.7/ant-1.10.7.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/apache/ant/ant-launcher/1.10.7/ant-launcher-1.10.7.jar
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java/target/lang-java-3.1.7-SNAPSHOT-jar-with-dependencies.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/bitbucket/mstrobel/procyon-compilertools/0.5.36/procyon-compilertools-0.5.36.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/bitbucket/mstrobel/procyon-core/0.5.36/procyon-core-0.5.36.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/ch/uzh/ifi/seal/changedistiller/0.0.4/changedistiller-0.0.4.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/inject/extensions/guice-assistedinject/4.2.2/guice-assistedinject-4.2.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/com/google/inject/guice/4.2.2/guice-4.2.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/eclipse/jdt/core/compiler/ecj/4.6.1/ecj-4.6.1.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.25/plexus-interpolation-1.25.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/javax/validation/validation-api/2.0.1.Final/validation-api-2.0.1.Final.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
[DEBUG] /Users/nasifimtiaz/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
[DEBUG] Source roots:
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/src/main/java
[DEBUG] /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/generated-sources/plugin
[DEBUG] Command line options:
[DEBUG] -d /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/classes -classpath /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/classes:/Users/nasifimtiaz/git/vulnerability-assessment-tool/lang/target/lang-3.1.7-SNAPSHOT.jar:/Users/nasifimtiaz/git/vulnerability-assessment-tool/shared/target/shared-3.1.7-SNAPSHOT.jar:/Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.10/jackson-core-2.9.10.jar:/Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.10.1/jackson-databind-2.9.10.1.jar:/Users/nasifimtiaz/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.10/jackson-annotations-2.9.10.jar:/Users/nasifimtiaz/.m2/repository/commons-configuration/commons-configuration/1.10/commons-configuration-1.10.jar:/Users/nasifimtiaz/.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jar:/Users/nasifimtiaz/.m2/repository/org/apache/httpcomponents/httpcore/4.4.12/httpcore-4.4.12.jar:/Users/nasifimtiaz/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar:/Users/nasifimtiaz/.m2/repository/org/javassist/javassist/3.25.0-GA/javassist-3.25.0-GA.jar:/Users/nasifimtiaz/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar:/Users/nasifimtiaz/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar:/Users/nasifimtiaz/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar:/Users/nasifimtiaz/.m2/repository/org/apache/commons/commons-compress/1.19/commons-compress-1.19.jar:/Users/nasifimtiaz/.m2/repository/org/antlr/antlr4-runtime/4.7.2/antlr4-runtime-4.7.2.jar:/Users/nasifimtiaz/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar:/Users/nasifimtiaz/.m2/repository/commons-lang/commons-lang/2.4/commons-lang-2.4.jar:/Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java-reach/target/lang-java-reach-3.1.7-SNAPSHOT.jar:/Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java/target/lang-java-3.1.7-SNAPSHOT.jar:/Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.core/1.4.3/com.ibm.wala.core-1.4.3.jar:/Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.util/1.4.3/com.ibm.wala.util-1.4.3.jar:/Users/nasifimtiaz/.m2/repository/com/ibm/wala/com.ibm.wala.shrike/1.4.3/com.ibm.wala.shrike-1.4.3.jar:/Users/nasifimtiaz/.m2/repository/com/google/guava/guava/27.1-jre/guava-27.1-jre.jar:/Users/nasifimtiaz/.m2/repository/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar:/Users/nasifimtiaz/.m2/repository/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar:/Users/nasifimtiaz/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar:/Users/nasifimtiaz/.m2/repository/org/checkerframework/checker-qual/2.5.2/checker-qual-2.5.2.jar:/Users/nasifimtiaz/.m2/repository/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar:/Users/nasifimtiaz/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar:/Users/nasifimtiaz/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.17/animal-sniffer-annotations-1.17.jar:/Users/nasifimtiaz/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-core/3.6.1/maven-core-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-model/3.5.4/maven-model-3.5.4.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-settings/3.6.1/maven-settings-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-settings-builder/3.6.1/maven-settings-builder-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/sonatype/plexus/plexus-sec-dispatcher/1.4/plexus-sec-dispatcher-1.4.jar:/Users/nasifimtiaz/.m2/repository/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-builder-support/3.6.1/maven-builder-support-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-repository-metadata/3.6.1/maven-repository-metadata-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-artifact/3.6.1/maven-artifact-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-model-builder/3.6.1/maven-model-builder-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-resolver-provider/3.6.1/maven-resolver-provider-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-impl/1.3.3/maven-resolver-impl-1.3.3.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-api/1.3.3/maven-resolver-api-1.3.3.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-spi/1.3.3/maven-resolver-spi-1.3.3.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/resolver/maven-resolver-util/1.3.3/maven-resolver-util-1.3.3.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar:/Users/nasifimtiaz/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.3/org.eclipse.sisu.plexus-0.3.3.jar:/Users/nasifimtiaz/.m2/repository/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar:/Users/nasifimtiaz/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar:/Users/nasifimtiaz/.m2/repository/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.3/org.eclipse.sisu.inject-0.3.3.jar:/Users/nasifimtiaz/.m2/repository/com/google/inject/guice/4.2.1/guice-4.2.1-no_aop.jar:/Users/nasifimtiaz/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar:/Users/nasifimtiaz/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar:/Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar:/Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-component-annotations/1.7.1/plexus-component-annotations-1.7.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/maven-plugin-api/3.6.1/maven-plugin-api-3.6.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/maven/plugin-tools/maven-plugin-annotations/3.6.0/maven-plugin-annotations-3.6.0.jar:/Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-utils/3.2.1/plexus-utils-3.2.1.jar:/Users/nasifimtiaz/.m2/repository/org/apache/ant/ant/1.10.7/ant-1.10.7.jar:/Users/nasifimtiaz/.m2/repository/org/apache/ant/ant-launcher/1.10.7/ant-launcher-1.10.7.jar:/Users/nasifimtiaz/git/vulnerability-assessment-tool/lang-java/target/lang-java-3.1.7-SNAPSHOT-jar-with-dependencies.jar:/Users/nasifimtiaz/.m2/repository/org/bitbucket/mstrobel/procyon-compilertools/0.5.36/procyon-compilertools-0.5.36.jar:/Users/nasifimtiaz/.m2/repository/org/bitbucket/mstrobel/procyon-core/0.5.36/procyon-core-0.5.36.jar:/Users/nasifimtiaz/.m2/repository/ch/uzh/ifi/seal/changedistiller/0.0.4/changedistiller-0.0.4.jar:/Users/nasifimtiaz/.m2/repository/com/google/inject/extensions/guice-assistedinject/4.2.2/guice-assistedinject-4.2.2.jar:/Users/nasifimtiaz/.m2/repository/com/google/inject/guice/4.2.2/guice-4.2.2.jar:/Users/nasifimtiaz/.m2/repository/org/eclipse/jdt/core/compiler/ecj/4.6.1/ecj-4.6.1.jar:/Users/nasifimtiaz/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar:/Users/nasifimtiaz/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.25/plexus-interpolation-1.25.jar:/Users/nasifimtiaz/.m2/repository/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar:/Users/nasifimtiaz/.m2/repository/javax/validation/validation-api/2.0.1.Final/validation-api-2.0.1.Final.jar:/Users/nasifimtiaz/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar:/Users/nasifimtiaz/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar: -sourcepath /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/src/main/java:/Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/generated-sources/plugin: -s /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/generated-sources/annotations -g -nowarn -target 1.7 -source 1.7 -encoding UTF-8
[DEBUG] incrementalBuildHelper#beforeRebuildExecution
[INFO] Compiling 12 source files to /Users/nasifimtiaz/git/vulnerability-assessment-tool/plugin-maven/target/classes
Are you using JDK8 or JDK11? Currently, this tool only supports JDK8.
I am using JDK11. Let me try with JDK8. Thanks for the reply.
Build is successful with JDK8. I am closing this issue.
However, I am confused how to use this application. I understand that there are several modules for frontends and client-side scan but I don't know how to set it up. The docs kind of starts from accessing the frontend UI on the localhost. But I don't know how to run the application to run the UI.
Could you help me on how to run this tool? @Naramsim
Hi @nasifimtiazohi, sure! First of all, you should understand the main three parts of the tool:
- frontend: Used to access the results of scans
- backend: Used to aggregate the data and fetch known vulnerabilities
- client: Used to scan your personal applications
In your case, the client is called plugin-maven if you are scanning an application built with Maven. The backend is a set of APIs which are hosted right now on your localhost:8033/backend, the frontend is instead a simple website that fetches scan results from the APIs and formats those nicely.
The client is already present in your machine since you were able to mvn install the project, so your local .m2 is filled with an archive called plugin-maven. Now you need the backend/frontend. Follow this guide to have them set up, the thing that you have to know is that we don't offer any service for the public clients, so the clients have to install somewhere the frontend/backend. Once you have the backend/frontend ready you need to load the data about vulnerabilities inside, with this guide.
Once you are there you are ready to start some scans on local applications. Basically you need to add to your application's pom.xml a section that instructs your plugin-maven about how to connect to the backend APIs. You can follow this guide.
Once you're done with your scan you should be able to see the results in your workspace in the frontend.
I know this entire procedure is quite long and complicated but it all originates that we are not allowed to offer our service (frontend+backend) to Internet users. So you have to spin up all the backend logic.
Thanks a lot for you explanation @Naramsim
I was able to build and build and start the docker containers following the guide. http://localhost:8033/haproxy?stats also shows all the seven layers are up and running I believe.
Before moving on to loading vulnerabilities, I don't know how to access the frontend and backend. I believe I can't figure out the appropriate ports and address to put on my browser from the little docker commands I know of. It'd be really helpful for me if you can give me some directions here.
Update: is localhost:8033/apps should be the front-end for the application? And /bugs is where I should see the vulnerability data after loading them? And, I should not care abut the other addresses such as /backend and /cia (care as in while using the UI of the tool)?
Correct, both /backend and /cia expose a number of services called either by the scan clients (Maven plugin, etc.) or the Web frontends (/bugs and /apps).