PHOENIX-6065 Add OWASP dependency check, and update the flagged direct dependencies
move build instructions from README.md to BUILDING.md
copy reporting setup from core
update jetty to 9.4.31
update zookeeper to 3.5.8
update spotbugs to latest
diff --git a/BUILDING.md b/BUILDING.md
new file mode 100644
index 0000000..ccf88ad
--- /dev/null
+++ b/BUILDING.md
@@ -0,0 +1,80 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+
+
+<b>[Apache Phoenix](http://phoenix.apache.org/)</b> enables OLTP and operational analytics in Hadoop for low latency applications. Visit the Apache Phoenix website <b>[here](http://phoenix.apache.org/)</b>. This is the repo for the Phoenix Query Server (PQS).
+
+Copyright ©2020 [Apache Software Foundation](http://www.apache.org/). All Rights Reserved.
+
+## Building
+
+This repository will build a tarball which is capable of running the Phoenix Query Server.
+
+By default, this tarball does not contain a Phoenix client jar as it is meant to be agnostic
+of Phoenix version (one PQS release can be used against any Phoenix version). Today, PQS builds against
+the Phoenix 4.15.0-HBase-1.4 release.
+
+```
+$ mvn package
+```
+
+### Bundling a Phoenix Client
+
+To build a release of PQS which packages a specific version of Phoenix, specify the `package-phoenix-client` system property
+and specify the `phoenix.version` system property to indicate a specific Phoenix version.
+
+PQS will package the same version of Phoenix used for build/test. This version is controlled by the
+ `phoenix.version` system property.
+
+```
+$ mvn package -Dpackage.phoenix.client -Dphoenix.version=5.1.0-SNAPSHOT
+```
+
+### Running integration tests
+
+`mvn package` will run the unit tests while building, but it will not run the integration test suite.
+
+The IT suite is run when executing `mvn install` or `mvn verify`. The Phoenix version specified
+with `phoenix.version` is used for running the integration tests.
+
+When specifying `phoenix.version`, also specify the HBase version to be used
+for integration testing by activating the corresponding `hbase<minor.major>` profile.
+
+When using a Phoenix 5.x version, activate the `hbase-2.x` profile in addition to the
+profile for the minor 2.x version.
+
+```
+$ mvn verify -Dpackage.phoenix.client -Dphoenix.version=4.16.0-SNAPSHOT -Phbase-1.3
+```
+```
+$ mvn install -Dpackage.phoenix.client -Dphoenix.version=5.1.0-SNAPSHOT -Phbase-2.1 -Phbase-2.x
+```
+
+### Running project reports
+
+Phoenix-queryserver currently supports generating the standard set of Maven Project Info Reports,
+as well as Spotbugs, Apache Creadur RAT, OWASP Dependency-Check, and Jacoco Code Coverage reports.
+
+To run all available reports
+`$ mvn clean verify site -Dspotbugs.site`
+
+To run OWASP, RAT and Spotbugs, but not Jacoco
+`$ mvn clean compile test-compile site -Dspotbugs.site`
+
+The reports are accessible via `target/site/index.html`, under the main project,
+as well as each of the subprojects. (not every project has all reports)
diff --git a/README.md b/README.md
index a2783df..55e1fba 100644
--- a/README.md
+++ b/README.md
@@ -30,46 +30,5 @@
The reference client implementation for PQS is a "thin" JDBC driver which can communicate with PQS. There
are drivers in other languages which exist in varying levels of maturity including Python, Golang, and .NET.
-## Building
-
-This repository will build a tarball which is capable of running the Phoenix Query Server.
-
-By default, this tarball does not contain a Phoenix client jar as it is meant to be agnostic
-of Phoenix version (one PQS release can be used against any Phoenix version). Today, PQS builds against
-the Phoenix 4.15.0-HBase-1.4 release.
-
-```
-$ mvn package
-```
-
-### Bundling a Phoenix Client
-
-To build a release of PQS which packages a specific version of Phoenix, specify the `package-phoenix-client` system property
-and specify the `phoenix.version` system property to indicate a specific Phoenix version.
-
-PQS will package the same version of Phoenix used for build/test. This version is controlled by the
- `phoenix.version` system property.
-
-```
-$ mvn package -Dpackage.phoenix.client -Dphoenix.version=5.1.0-SNAPSHOT
-```
-
-### Running integration tests
-
-`mvn package` will run the unit tests while building, but it will not run the integration test suite.
-
-The IT suite is run when executing `mvn install` or `mvn verify`. The Phoenix version specified
-with `phoenix.version` is used for running the integration tests.
-
-When specifying `phoenix.version`, also specify the HBase version to be used
-for integration testing by activating the corresponding `hbase<minor.major>` profile.
-
-When using a Phoenix 5.x version, activate the `hbase-2.x` profile in addition to the
-profile for the minor 2.x version.
-
-```
-$ mvn verify -Dpackage.phoenix.client -Dphoenix.version=4.16.0-SNAPSHOT -Phbase-1.3
-```
-```
-$ mvn install -Dpackage.phoenix.client -Dphoenix.version=5.1.0-SNAPSHOT -Phbase-2.1 -Phbase-2.x
-```
+The Python driver is maintained by the Phoenix project, and is available in the python-phoenixdb
+directory of the phoenix-queryserver repository.
\ No newline at end of file
diff --git a/phoenix-queryserver-load-balancer/pom.xml b/phoenix-queryserver-load-balancer/pom.xml
index 68ea55d..6e76e15 100644
--- a/phoenix-queryserver-load-balancer/pom.xml
+++ b/phoenix-queryserver-load-balancer/pom.xml
@@ -105,6 +105,10 @@
<artifactId>zookeeper</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.zookeeper</groupId>
+ <artifactId>zookeeper-jute</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-client</artifactId>
</dependency>
diff --git a/phoenix-queryserver/pom.xml b/phoenix-queryserver/pom.xml
index 441d01b..f5305e4 100644
--- a/phoenix-queryserver/pom.xml
+++ b/phoenix-queryserver/pom.xml
@@ -157,7 +157,7 @@
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
- <artifactId>zookeeper</artifactId>
+ <artifactId>zookeeper-jute</artifactId>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
diff --git a/pom.xml b/pom.xml
index c57292f..bcd8126 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,7 +26,7 @@
<parent>
<groupId>org.apache</groupId>
<artifactId>apache</artifactId>
- <version>21</version>
+ <version>23</version>
</parent>
<groupId>org.apache.phoenix</groupId>
@@ -75,11 +75,11 @@
<hadoop.version>2.7.5</hadoop.version>
<!-- Dependency versions -->
- <zookeeper.version>3.4.10</zookeeper.version>
+ <zookeeper.version>3.5.8</zookeeper.version>
<curator.version>2.12.0</curator.version>
<gson.version>2.2.4</gson.version>
- <jetty.version>9.4.27.v20200227</jetty.version>
+ <jetty.version>9.4.31.v20200723</jetty.version>
<commons-io.version>2.5</commons-io.version>
<commons-collections.version>3.2.2</commons-collections.version>
<sqlline.version>1.9.0</sqlline.version>
@@ -95,14 +95,25 @@
<!-- Plugin versions -->
<maven-eclipse-plugin.version>2.9</maven-eclipse-plugin.version>
<maven-build-helper-plugin.version>1.9.1</maven-build-helper-plugin.version>
+ <spotbugs-maven-plugin.version>4.1.3</spotbugs-maven-plugin.version>
+ <spotbugs.version>4.1.3</spotbugs.version>
+ <maven-owasp-plugin.version>5.3.2</maven-owasp-plugin.version>
+ <jacoco-maven-plugin.version>0.8.5</jacoco-maven-plugin.version>
<!-- Plugin options -->
<it.failIfNoSpecifiedTests>false</it.failIfNoSpecifiedTests>
<surefire.failIfNoSpecifiedTests>false</surefire.failIfNoSpecifiedTests>
+ <!-- Empty argument when code coverage is deactivated -->
+ <jacocoArgLine></jacocoArgLine>
<!-- Set default encoding so multi-byte tests work correctly on the Mac -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+
+ <!-- JaCoCo thresholds which we can override in each sub-module if required -->
+ <!-- The current setting does not mandate any coverage -->
+ <jacoco.instruction.coverage.percentage>0.0</jacoco.instruction.coverage.percentage>
+ <jacoco.branch.coverage.percentage>0.0</jacoco.branch.coverage.percentage>
</properties>
<build>
@@ -186,7 +197,7 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<reuseForks>true</reuseForks>
- <argLine>-enableassertions -Xmx2250m -XX:MaxPermSize=128m
+ <argLine>@{jacocoArgLine} -enableassertions -Xmx2250m -XX:MaxPermSize=128m
-Djava.security.egd=file:/dev/./urandom "-Djava.library.path=${hadoop.library.path}${path.separator}${java.library.path}" -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=./target/</argLine>
<redirectTestOutputToFile>true</redirectTestOutputToFile>
<shutdown>kill</shutdown>
@@ -204,7 +215,7 @@
<runOrder>alphabetical</runOrder>
<reuseForks>false</reuseForks>
<runOrder>alphabetical</runOrder>
- <argLine>-Xmx2000m -XX:MaxPermSize=256m -Djava.security.egd=file:/dev/./urandom "-Djava.library.path=${hadoop.library.path}${path.separator}${java.library.path}" -XX:NewRatio=4 -XX:SurvivorRatio=8 -XX:+UseCompressedOops -XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC -XX:+UseCMSInitiatingOccupancyOnly -XX:+CMSClassUnloadingEnabled -XX:+CMSScavengeBeforeRemark -XX:CMSInitiatingOccupancyFraction=68 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=./target/</argLine>
+ <argLine>@{jacocoArgLine} -Xmx2000m -XX:MaxPermSize=256m -Djava.security.egd=file:/dev/./urandom "-Djava.library.path=${hadoop.library.path}${path.separator}${java.library.path}" -XX:NewRatio=4 -XX:SurvivorRatio=8 -XX:+UseCompressedOops -XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC -XX:+UseCMSInitiatingOccupancyOnly -XX:+CMSClassUnloadingEnabled -XX:+CMSScavengeBeforeRemark -XX:CMSInitiatingOccupancyFraction=68 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=./target/</argLine>
<redirectTestOutputToFile>true</redirectTestOutputToFile>
<shutdown>kill</shutdown>
<testSourceDirectory>${basedir}/src/it/java</testSourceDirectory>
@@ -239,6 +250,32 @@
</executions>
</plugin>
<plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${maven-owasp-plugin.version}</version>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <skipSystemScope>true</skipSystemScope>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <dependencies>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs</artifactId>
+ <version>${spotbugs.version}</version>
+ </dependency>
+ </dependencies>
+ <configuration>
+ <effort>Max</effort>
+ <maxHeap>2048</maxHeap>
+ </configuration>
+ </plugin>
+ <plugin>
<!-- FIXME not working, leaving it here as a reminder -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -315,14 +352,6 @@
<excludes>
<!-- precommit? -->
<exclude>**/patchprocess/**</exclude>
- <!-- Not our code -->
- <exclude>python/requests-kerberos/**</exclude>
- <exclude>python/phoenixdb/phoenixdb/avatica/proto/*</exclude>
- <exclude>python/phoenixdb/*.rst</exclude>
- <exclude>python/phoenixdb/ci/**</exclude>
- <exclude>python/phoenixdb/doc/*.rst</exclude>
- <exclude>python/phoenixdb/doc/conf.py</exclude>
- <exclude>python/phoenixdb/doc/Makefile</exclude>
</excludes>
</configuration>
</plugin>
@@ -445,6 +474,17 @@
</exclusions>
</dependency>
<dependency>
+ <groupId>org.apache.zookeeper</groupId>
+ <artifactId>zookeeper-jute</artifactId>
+ <version>${zookeeper.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
<version>${jetty.version}</version>
@@ -612,4 +652,121 @@
</dependency>
</dependencies>
</dependencyManagement>
+ <profiles>
+ <profile>
+ <id>codecoverage</id>
+ <activation>
+ <property>
+ <name>!skip.code-coverage</name>
+ </property>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.jacoco</groupId>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <version>${jacoco-maven-plugin.version}</version>
+ <executions>
+ <execution>
+ <id>prepare-agent</id>
+ <goals>
+ <goal>prepare-agent</goal>
+ </goals>
+ <configuration>
+ <propertyName>jacocoArgLine</propertyName>
+ </configuration>
+ </execution>
+ <execution>
+ <id>report</id>
+ <phase>post-integration-test</phase>
+ <goals>
+ <goal>report</goal>
+ </goals>
+ </execution>
+ <execution>
+ <id>check</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ <configuration>
+ <rules>
+ <rule>
+ <element>BUNDLE</element>
+ <limits>
+ <limit>
+ <counter>INSTRUCTION</counter>
+ <value>COVEREDRATIO</value>
+ <minimum>${jacoco.instruction.coverage.percentage}</minimum>
+ </limit>
+ <limit>
+ <counter>BRANCH</counter>
+ <value>COVEREDRATIO</value>
+ <minimum>${jacoco.branch.coverage.percentage}</minimum>
+ </limit>
+ </limits>
+ </rule>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ <profile>
+ <id>spotbugs-site</id>
+ <activation>
+ <property>
+ <name>!spotbugs.site</name>
+ </property>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <configuration>
+ <spotbugsXmlOutput>true</spotbugsXmlOutput>
+ <xmlOutput>true</xmlOutput>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>aggregate</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.jacoco</groupId>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>report</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.rat</groupId>
+ <artifactId>apache-rat-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </reporting>
</project>
