-
Suggestion
-
Resolution: Fixed
-
None
If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.
This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo).
Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance).
Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called.
This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules).
Enable protection by a flag. e.g.
<configuration> <repositoryPollutionProtection>true</repositoryPollutionProtection> </configuration>
mvn -Dmaven.clover.repositoryPollutionProtection=true
Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases.
Extra:
Fail also if artifact contains a custom classifier and clover2:instrument is used (as Maven cannot handle an artifact with two classifiers).
[CLOV-1632] Protect against deployment of instrumented code
Workflow | Original: JAC Suggestion Workflow [ 3342488 ] | New: JAC Suggestion Workflow 3 [ 3584977 ] |
Status | Original: RESOLVED [ 5 ] | New: Closed [ 6 ] |
Workflow | Original: New Clover Workflow [ 898055 ] | New: JAC Suggestion Workflow [ 3342488 ] |
Issue Type | Original: New Feature [ 2 ] | New: Suggestion [ 10000 ] |
Status | Original: Closed [ 6 ] | New: Resolved [ 5 ] |
Workflow | Original: Clover Workflow [ 896462 ] | New: New Clover Workflow [ 898055 ] |
Workflow | Original: reviewflow [ 828703 ] | New: Clover Workflow [ 896462 ] |
Issue Type | Original: Improvement [ 4 ] | New: New Feature [ 2 ] |
Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: To be reviewed [ 10026 ] | New: Resolved [ 5 ] |
Status | Original: In Progress [ 3 ] | New: To be reviewed [ 10026 ] |
Description |
Original:
If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.
This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo). Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance). Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called. This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules). Enable protection by a flag. e.g. {code:xml} <configuration> <repositoryPollutionProtection>true</repositoryPollutionProtection> </configuration> {code} mvn -Dmaven.clover.repositoryPollutionProtection=true Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases. |
New:
If user calls "mvn clover2:setup install" or "mvn clover2:setup deploy", code instrumented by Clover will be installed to ~/.m2 or deployed to a repository.
This may be not a desired behavior, especially if developer is not aware of it (for instance if someone switches on the automatic Clover integration in Bamboo). Furthermore, installation may occur not only for "install" or "deploy" phases expressed explicitly in the command line, but it can also happen when a plug-in runs such life cycle (mvn release:perform for instance). Implement a protection against it - in the clover2:setup check the reactor which phases are about to run and refuse code instrumentation if 'install' or 'deploy' will be called. This protection shall not be enabled by default, because there may be actually a need to install instrumented code (for instance - multiple build plans using the same local m2 cache or repository to fetch compiled artifacts and we want to measure coverage for all modules). Enable protection by a flag. e.g. {code:xml} <configuration> <repositoryPollutionProtection>true</repositoryPollutionProtection> </configuration> {code} mvn -Dmaven.clover.repositoryPollutionProtection=true Expected behavior: fail a build if repositoryPollutionProtection=true and build lifecycle contains 'install' or 'deploy' phases. *Extra:* Fail also if artifact contains a custom classifier and clover2:instrument is used (as Maven cannot handle an artifact with two classifiers). |