Introduction


Leidos is aware of, and working with the vendor (JFrog) on, the "400 Error" encountered when attempting to download artifacts from the UI.




The Shared Repository is implemented using Artifactory 7.  This guide will provide instructions for setting up both Maven and Gradle builds.  It will also provide some best practices for uploading artifacts.

vIf you have already done maven or gradle builds on previous projects, you may have artifacts cached on disk. If so, the files will be pulled from there and will not attempt to pull them from Artifactory.  If you have files pulled from local disk you will not receive notifications of Xray scans for your project files.

This document assumes that you have Java, Maven and or Gradle already installed on your system. If you do not have these items installed then please use your Elevated Privileges to install them.

Artifactory Login

url: 

https://artifactory.devenv.leidos.com

Enter your Leidos username and credentials on the following screen:

 Maven Setup and Testing

Setting up a Maven based project requires that you use the "Set Me Up" function.

Please make sure that you have selected the devenv-maven project to start.

Select Artifacts, devmvn-virtual, and then press the Set Me Up button

Enter your password, and then press the lock icon.

Patiently wait about 30 seconds until you see the following screen (or you are told your creds are invalid.

Press the Mirror Any checkbox.  Then scroll down to get to the Generate Settings button. 

Press it, and wait 30 seconds or more... be patient....  There will be NO FEEDBACK at this point until the settings are created. When you get tired of waiting, try to scroll down further on the screen to see if your settings are generated.

Once you see them, press the Download Snippet button and then save your file for use in a little bit.

Create and build a hello world project

Create the maven project

mvn archetype:generate -DgroupId=com.leodis.helloworld -DartifactId=helloworld -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=false

Change your working folder

cd helloworld

Copy your settings.xml file to the created project folder

cp ~/Downloads/settings.xml .
(Mac / Linux example)

Don't try to compile because your settings.xml file is broken - lets fix it

You will have to insert an additional server block in the settings, because Artifactory does not seem to know what it has named things.

Copy the central server block to create the following block.

  <servers>
    <server>
      <username>YOUR USER NAME</username>
      <password>THE SAME PASSWORD AS CENTRAL</password>
      <id>devmvn-virtual</id>
    </server>

Build using your custom settings file

mvn --settings settings.xml clean compile

This is enough to exercise pulling artifacts from Artifactory - and you may even get an email telling you that one or more of your artifacts have issues.

Getting vulnerability notifications

Edit your pom.xml file and insert the following new dependency to the project:

  <dependencies>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.15.0</version>
    </dependency>

This dependency has a known vulnerability and you should receive email notification that tells you the issues, when you rebuild the project:

mvn --settings settings.xml clean compile

Do not click on the link provided to you in email.  Apparently Artifactory does not know where it stores the Xray results.  You will have to find that manually.

Back in Xray, type in log4j-core in the search box and hit return.  Then click on log4j-core-2.15.0.jar.

Then click on the Xray tab to see the issues:

Gradle Setup and Testing

Create the gradle project

mkdir helloworld-gradle
cd helloworld-gradle
gradle

Create a gradle.properties file

Using values from the maven.settings file created using Set Me Up create a file called gradle.properties:

artifactory_user=YOUR USER NAME
artifactory_password=YOUR ENCRYPTED PASSWORD - SAME ONE FROM CENTRAL
artifactory_contextUrl=https://artifactory.devnet.sdodev.leidos.com/artifactory/devnet-maven-remote

Create a gradle wrapper file

gradle -version

------------------------------------------------------------
Gradle 6.7
------------------------------------------------------------
...

gradle wrapper --gradle-version USE VERSION ABOVE

Create a build.gradle file

group 'com.leidos'
version '0.1.0'

repositories {
      maven {
         url "${artifactory_contextUrl}"
            credentials {
                username = "${artifactory_user}"
                password = "${artifactory_password}"
            }
     }
}

allprojects {
    apply plugin: 'java'
}

sourceCompatibility = 1.8
targetCompatibility = 1.8

dependencies {
}

From a gradle 7.3.3 user:

note: i am using gradle 7.3.3

this may have been covered already, so sorry for duplicate information, but in order to follow the gradle build instructions for the gradle wrapper (gradlew), i needed to create the build.gradle file first, then i needed to import the Leidos Cloud PKI Root CA and Leidos Perimeter FW CA into my keystore using administrator privileges.

without importing the certificates, the gradle wrapper would fail to download gradle with "Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

I needed to modify the step for adding the log4j dependency:

  • "implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.15.0'". instead of


"compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.15.0'"


I believe that is because gradle 7 introduced new configurations that removed compile

Create a java Helloworld class

mkdir -p src/main/java/com/leidos/helloworld
vi src/main/java/com/leidos/helloworld/Helloworld.java
package com.leidos.helloworld;

public class Helloworld {

  public static void main (String...args) {
    System.out.println ("hello world");
  }
}

Compile the program

./gradlew clean jar
  or
./gradlew.bat clean jar

Getting vulnerability notifications

Edit your build.gradle file and insert the following new dependency to the project:

dependencies {
  compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.15.0'
}

This dependency has a known vulnerability and you should receive email notification that tells you the issues, when you rebuild the project:

./gradlew clean jar
  or
./gradlew.bat clean jar

See Maven build section for instructions on locating files in Artifactory and looking at Xray findings.

Artifact Upload

For this iteration of testing, there is only one shared folder for uploading artifacts.  In order to keep things organized, please put your artifacts under a path that matches your username.  You will see that in the following example using kingc.

In production artifactory, the project names are different: devmvn vice devenv-test !!!


Select the Developer Enabled Environment project, the devnet-test repo, and then press the Deploy button.

This is an example of doing a single file upload.  Type in the name of your artifact including the path.  Then drag/drop or browse for a file.  Then press the Deploy button.

You can then find your deployed artifact under the devenv-maven repository.