JEE Maven Http Extractor - 4.1

Extension ID

com.castsoftware.JEE-MavenHttp

What’s new ?

See JEE Maven Http Extractor 4.1 - Release Notes  for more information.

Extension description

This extension provides the means to extract JAR based source code via http/https from a remote Maven repository as well from Maven repository on your file system (file://). This is similar in function to the Maven repository on your file system option that is provided “out of the box” in the CAST Delivery Manager Tool, along with an enhancement that combines the capabilities of the old Maven HTTP Extractor and of the legacy Maven Extractor on your file system.

In what situation should you install this extension?

This extension should be used when you want to extract JAR based source code that is stored in a remote Maven repository. For example, when your JEE application relies on JAR files and the initial extraction of this application in the CAST Delivery Manager Tool throws “missing library file” alerts, you can use this extension to extract the missing files from a remote Maven repository and resolve the alerts.

Technical information

  • The extension does not contain a source code “discoverer” (to determine the type of source code project) and therefore relies on other discoverers that are already installed in the CAST Delivery Manager Tool or via other extensions to do so.
  • This extractor supports remote Maven repository as well as Maven repository on your file system. The URL format must use the http/https/file protocol.
  • If you need to extract data from a https repository, please ensure that you are using the extension with AIP Core ≥ 8.3.10.

Supported Maven releases

Maven release  Supported
3.x.x (tick)
2.x.x (tick)
1.x.x (tick)

CAST AIP compatibility

This extension is compatible with:

CAST AIP release Supported
8.3.x where x ≥ 3 (tick)

Extension interface

The following screen shots show the differences in the product when the extension is installed:

  • A new sub-option will be added to the Automated extraction of required jar files option:

  • The new sub-option is called Maven repository:

  • The Package Configuration tab then offers the following interface to access your Maven repository:

Option

Explanation
1 Enter the direct URL for your Maven repository using the http/https protocol
 2

Select the Proxy option, if Maven http repository requires a proxy pass, then configure:

  • Host: Used to configure the proxy hostname requires to access the Maven http repository
  • Port: Used to configure the proxy port requires to access the Maven http repository.
3

Tick the Credentials option if the Maven repository requires authenticated access, then configure:

  • User name: Used to configure the user name that has sufficient privileges to access the Maven repository for packaging purposes.
  • Password: Used to configure the password that corresponds to your User name configured above.
  • Remember password: This option enables you to force the CAST Delivery Manager Tool to save the database access credentials you have entered above. Choosing an option has no impact on the extraction (i.e. the CAST Delivery Manager Tool can still access the required resources). However, if you are creating subsequent versions of the same schemas on the same server, you can choose to store the password (by storing you will not need to re-enter it). There are two save options:
    • Local > The credentials are saved in the user's local workspace on the current machine. Choose this option if you do not want the password to be available to other Delivery Managers.
    • Server > The credentials are saved locally (as above) and are also synchronized back to the CAST AIC Portal (i.e. the Source Code Delivery Folder). Choose this option if you want the password to be available to other Delivery Managers.
4

This option enables you to specify specific artifacts that you know need to be extracted in order to resolve a packaging alert. You can specify the artifact using:

  • Group ID (usually a reverse domain name like com.example.foo) - this option is mandatory
  • Artifact ID (usually the name) - this option is mandatory
  • Version (the artifact's version string) - this option is mandatory
  • Classifier (an arbitrary string that distinguishes artifacts that were built from the same POM but differ in their content) - this option is mandatory.
  • If you do not specify an element, the CAST Delivery Manager Tool will automatically populate the list of elements when you run the Package action based on what it finds in the repository URL you have entered.
  • <groupID> or <artifactID> configured in <relocation> tags are supported.
  • maven-metadata.xml will be used to determine a best version for the <versionID> if no pom.xml can be found.
5

Additional Maven Repository: This option enables configuring additional Maven repositories.

  • Repository URL: Enter the direct URL for your additional Maven repository using the http/https/file protocol
  • User name: Used to configure the user name that has sufficient privileges to access the Maven repository for packaging purposes
  • Password: Used to configure the password that corresponds to your User name configured above.

Each additional repository has individual configuration option for username and password.
6
These options should not be modified unless you are having issues such as missing JARs, missing classes, broken transactions etc. In the vast majority of situations, the default values for these options are sufficient.

These three options (available in ≥ 4.1.x) govern how the extractor behaves with regard to depth of artifacts extracted. The default settings are as shown below:

To allow the extractor extract as many artifacts as needed, you can use the following settings:

  • Extract Dependencies Depth: 99
  • Maximum Extracted Artifacts Factor: 999
  • Maximum Extracted Artifacts before Loops Factor: 999

However, when using these unlimited options, the maximum extracted artifacts would be 999 * minimum remediated artifacts. This could lead to performance issues, therefore, changing these parameters should be done with caution (e.g., to insure stability of transaction call graphs).

Packaging and extraction messages

The following messages may appear during the packaging action:

Message ID Format Message Action
.http.connectionFailed ERROR Connection failed for %URL%: %MESSAGE% Check the connection URL.
.http.authenticationFailed ERROR Authentication failed: %MESSAGE% Check the credentials are correct.
.http.artifactRetrievalFailed ERROR Technical error during the extraction of the artifact from %URL% failed: %MESSAGE% Check the access to the repository.
.http.artifactMetadataRetrievalFailed ERROR Technical error during the extraction of the maven-metadata.xml file from %URL% failed: %MESSAGE% Without the data required to identify the versions for this artifact, we can't determine a best version. Please contact CAST Technical Support and report a bug.
.http.versionMetadataRetrievalFailed ERROR Technical error during the extraction of the maven-metadata.xml file from %URL% failed: %MESSAGE% Without the data required to identify the files for the SNAPSHOT, the artifact can't be extracted. Please contact CAST Technical Support and report a bug.
.http.pomReadContentError ERROR Technical error while reading the pom file for the artifact [%GROUP_ID%][%ARTIFACT_ID%][%VERSION%]: %MESSAGE% If the relocation is defined, the jar file will not be extracted. Please contact CAST Technical Support and report a bug.
.http.artifactWithoutVersion WARNING No version has been provided for the artifact [%GROUP_ID%][%ARTIFACT_ID%].

In the maven dependency, the version should be defined or inherited from the parent. Check the packaging of the source code.
.http.artifactWithVersionVariable WARNING Version has been provided with variable for the artifact [%GROUP_ID%][%ARTIFACT_ID%]. The variable should be defined or inherited from the parent. Check the packaging of the source code.
.http.notSupportedArtifactWithRange WARNING The automated extraction of artifacts with range is not supported: artifact [%GROUP_ID%][%ARTIFACT_ID%][%VERSION%]. Please contact CAST Technical Support and report a feature request.
.http.getArtifact INFO Start to retrieve the artifact [%GROUP_ID%][%ARTIFACT_ID%][%VERSION%] from the repository. None.
.http.notFoundArtifact INFO The artifact %GROUP_ID% %ARTIFACT_ID% has not been found in the repository. Check the configuration details and update if necessary.
.http.notFoundArtifactMetadata INFO The metadata for artifact %GROUP_ID% %ARTIFACT_ID% has not been found in the repository. Check the configuration details and update if necessary.
.combined.invalidURL  ERROR .combined.invalidURL => %URL%=%MESSAGE% Check the repository url provided.
supported protocols: file://, http://, https://

Limitations

Parent POM files scanned

Parent POM files are scanned but a limit is added to the recursive extraction of the Maven dependent artifacts.

When packaging a J2EE Maven resource package, if a pom file has a parent, the parent file is scanned and we extract all JAR dependencies from first level.

Packaging Type <POM>

POM file with the packaging type as <POM> will not extract additional resources “JAR”,“War” and “Zip” files. 

Extraction Limitations

Extraction levels are limited to:

  • Two for dependent artifacts
  • No limit for parent artifacts

The total number of artifacts extracted using additional levels is limited to ten times the number of remediation artifacts (extracted at the base level), the first two additional levels are not started if this number is greater than three times the number of remediation artifacts.

Avoid using JEE Maven Http Extractor ≥ 2.0.3 and <=2.0.5, as JAR dependencies are extracted recursively without limit, this could have a big impact on performance.