Skip to main content

Integrate agents with Maven

You can create a Veracode SCA agent that automates the scanning of your Maven repositories.

Prerequisites

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.

Set up the Maven plugin

Use the Maven plugin to automate scans of your Maven repositories. You can upload the results of plugin scans to Veracode for a specific organization or to your personal environment.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create > Maven.

  5. Select Create Agent & Generate Token.

  6. Choose to set your API token as an environment variable in the environment where you build your Maven repository, or add the token directly to the configuration within your pom.xml file:

    • Environment Configuration:

      • Run this command to set your API token to the SRCCLR_API_TOKEN environment variable:

        export SRCCLR_API_TOKEN={apiToken}

        If your shell supports it, you may want to prefix the command with a space to avoid leaving the token in your shell history.

      • Run this command in the root of your Maven project to start a scan:

        mvn clean compile com.srcclr:srcclr-maven-plugin:scan

    • pom.xml Configuration:

      • Add this code to your pom.xml file in the root directory:
         <build>
          <plugins>
              <plugin>
                  <groupId>com.srcclr</groupId>
                  <artifactId>srcclr-maven-plugin</artifactId>
                  <version><!-- Insert latest version --></version>
                  <configuration>
                      <!--- Add configuration details here-->
                      <apiToken>OptionallyEnterUserTokenHere</apiToken>
                 </configuration>
                 <executions>
                     <execution>
                         <id>srcclr-scan</id>
                         <phase>verify</phase>
                         <goals>
                             <goal>scan</goal>
                         </goals>
                     </execution>
                </executions>
              </plugin>
          </plugins>
      </build>
      • Save the pom.xml file. The plugin automatically runs when you run any Maven lifecycle phase that executes after verify, such as install or deploy.

Configure the Maven plugin

You can configure specific parameters in the Maven plugin.

If you do not specify a name, Veracode assigns a name to display with your project from your repository and file system information based on the .git information.

apiToken

Identifies you to the Veracode Platform. Required for running the plugin if you have not set the SRCCLR_API_TOKEN environment variable.

Default value: null

Example:

<apiToken>xxsdf234Sasdvcve</apiToken>

upload

Indicates whether the plugin should upload your data to the Veracode Platform. If set to false, the plugin only displays results on the console.

Default value: true

Example:

<upload>false</upload>

verbose

By default, the Maven plugin only specifies vulnerable components to you on the command line. If set to true, the plugin displays all of the components it finds.

Default value: false

Example:

<verbose>true</verbose>
Last updated on