Uploaded image for project: 'Clover'
  1. Clover
  2. CLOV-1632

Protect against deployment of instrumented code

    • Icon: Suggestion Suggestion
    • Resolution: Fixed
    • 4.0.4
    • Maven plugin
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.

      This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo).

      Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance).

      Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called.

      This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules).

      Enable protection by a flag. e.g.

      <configuration>
        <repositoryPollutionProtection>true</repositoryPollutionProtection>
      </configuration>
      

      mvn -Dmaven.clover.repositoryPollutionProtection=true

      Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases.

      Extra:

      Fail also if artifact contains a custom classifier and clover2:instrument is used (as Maven cannot handle an artifact with two classifiers).

            [CLOV-1632] Protect against deployment of instrumented code

            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3342488 ] New: JAC Suggestion Workflow 3 [ 3584977 ]
            Status Original: RESOLVED [ 5 ] New: Closed [ 6 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: New Clover Workflow [ 898055 ] New: JAC Suggestion Workflow [ 3342488 ]
            Issue Type Original: New Feature [ 2 ] New: Suggestion [ 10000 ]
            Status Original: Closed [ 6 ] New: Resolved [ 5 ]
            Piotr Swiecicki made changes -
            Workflow Original: Clover Workflow [ 896462 ] New: New Clover Workflow [ 898055 ]
            Piotr Swiecicki made changes -
            Workflow Original: reviewflow [ 828703 ] New: Clover Workflow [ 896462 ]
            Marek Parfianowicz made changes -
            Issue Type Original: Improvement [ 4 ] New: New Feature [ 2 ]
            Marek Parfianowicz made changes -
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Marek Parfianowicz made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: To be reviewed [ 10026 ] New: Resolved [ 5 ]
            Marek Parfianowicz made changes -
            Link New: This issue relates to BAM-15847 [ BAM-15847 ]
            Marek Parfianowicz made changes -
            Status Original: In Progress [ 3 ] New: To be reviewed [ 10026 ]
            Marek Parfianowicz made changes -
            Description Original: If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.

            This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo).

            Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance).

            Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called.

            This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules).

            Enable protection by a flag. e.g.

            {code:xml}
            <configuration>
              <repositoryPollutionProtection>true</repositoryPollutionProtection>
            </configuration>
            {code}

            mvn -Dmaven.clover.repositoryPollutionProtection=true

            Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases.
            New: If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.

            This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo).

            Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance).

            Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called.

            This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules).

            Enable protection by a flag. e.g.

            {code:xml}
            <configuration>
              <repositoryPollutionProtection>true</repositoryPollutionProtection>
            </configuration>
            {code}

            mvn -Dmaven.clover.repositoryPollutionProtection=true

            Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases.

            *Extra:*

            Fail also if artifact contains a custom classifier and clover2:instrument is used (as Maven cannot handle an artifact with two classifiers).

              mparfianowicz Marek Parfianowicz
              mparfianowicz Marek Parfianowicz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: