Links

Run with Maven Plugin

The plugin will recursively analyze all your Maven modules to detect negative examples of your best coding practices.

Installation

To add the plugin to your project, modify the pluginRepositories section of your root pom.xml:
<pluginRepositories>
<pluginRepository>
<id>promyze-public</id>
<url>https://nexus.promyze.com/repository/promyze-public/</url>
</pluginRepository>
</pluginRepositories>
Then update your plugins section:
<build>
<pluginManagement>
<plugins>
<!-- your others plugins-->
<plugin>
<groupId>com.promyze</groupId>
<artifactId>scanner</artifactId>
<version>1.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
The plugin needs two settings:
  • promyze.apiKey: a user API key to fetch the practices
  • promyze.url: the full URL of the Promyze instance
mvn com.promyze:scanner:scan -Dpromyze.apiKey=aNbe..av -Dpromyze.url=https://acme.promyze.app
You can also use environment variables:
  • PROMYZE_URL
  • PROMYZE_API_KEY
in that case, you can run the following command:
mvn com.promyze:scanner:scan

Configuration

Here is the list of parameters you can use:
  • -Dpromyze.sources: the top-level directories or files to analyze for each module. Default: src.
  • -Dpromyze.extensions: a comma-separated list of extensions to include exclusively in the analysis. Ex: .java. Default: .java,.kt,.scala,.groovy
  • -Dpromyze.formatters: Comma-separated list of formatters: ["console", "sonarqube", "sarif"]. Default: console.
  • -Dpromyze.mode: Execution mode:
    • all: scans all the codebase
    • onlyChanged:Should only scan edited files on SCM (only Git is currently supported)
    Default: all.
  • -Dpromyze.exclude: a comma-separated list of patterns that, if found in the file path, will discard the file from the analysis.
  • -Dpromyze.severity: Severity of the issues in the report, such as "WARNING", "MAJOR", "BLOCKER", .... Only relevant when one of the formatters is "sonarqube" or "sarif". Default: MAJOR.
  • -Dpromyze.issueType: indicates the issue type to apply to issues. Only relevant when formatters include "sonarqube". Choose among: BUG, VULNERABILITY, CODE_SMELL. Default: BUG.
  • -Dpromyze.outputFile: the output file for each module. Only relevant when one of the formatters is "sonarqube" or "sarif". Default: ${project.build.directory}/promyze-scan.json.
  • -Dpromyze.errorIfResults: If any issue is found during the analysis, the program will stop with an error code 1 (thus, it might stop the CI/CD process). Default: false.
  • -Dpromyze.url: Indicate the full Promyze URL (ex: https://acme.promyze.app). You can pass it with PROMYZE_URL environment variable.
  • -Dpromyze.apiKey: Indicate the full Promyze API Key. We recommend to use instead the PROMYZE_API_KEY environment variable.
​
If you'd like to submit feedback or suggestions to improve this plugin, feel free to send your suggestions on the following link: