This document provides an overview and agenda for a presentation on using Maven with AWS services like CodeCommit, CodeArtifact, and ECR. It discusses Maven concepts like folders, POMs, lifecycles, plugins and goals. It also covers setting up projects with these AWS services, performing Maven releases, and best practices. Example builds are provided like a Hello World app and utilizing services together.
Maven Zero to Hero with AWS CodeCommit, CodeArtifact, ECR, OWASP Dependency Track
1. Maven Zero to Hero with
AWS CodeCommit,
CodeArtifact, ECR,
OWASP Dependency Track
Ravi Soni
linkedin.com/in/rvsoni/
2. Agenda
❖ History of Build System
❖ Overview of Maven
❖ Internals working of Maven (GAV, Phases, Goals, Plugins, Packaging, Profiles)
❖ Maven Repository (m2 repo)
❖ Setup and running Maven Hello World
❖ Overview AWS CodeCommit, CodeArtifact, ECR
❖ Setup of AWS CodeCommit, CodeArtifact, ECR and use with Maven
❖ Maven Release process with AWS CodeCommit, CodeArtifact, ECR
❖ Cool things I have build using Maven
❖ Overview/Talk on some important maven plugins
❖ Best practices of using Maven
❖ Q/A
3. History of Build System
● Initial concepts derived from a Make build system used on Solaris/Unix
● Birth of Ant build tool
● Birth of Maven build tool
4. Maven Overview
● Started as a side project of Apache Turbine
● How software is build and dependency managed
● Plugin based system
● Introduced GAV coordinates for dependency management
● Folder structure
● Introduction of build lifecycle
10. Maven Packaging
● Various packaging types support
○ EJB, EJB3, JAR, EAR, PAR, RAR, WAR, POM, Maven-plugin
○ Custom Packaging type, i.e hpi (Jenkins plugin)
● Default Packaging type is JAR
● Packaging type enable various phases of build lifecycle phases
11. Maven Phase
● Maven lifecycle are based on the phase
● Phase associated with Plugin Goals
● Packaging type define lifecycle phases
● Phases named with hyphenated-words (pre-*, post-*, or process-*)
12. Maven Plugins and Goals
● Plugin is heart of Maven Build system
● Each Plugin provide one or more goals
● Goals are need to map with Phase to be executed
● Some plugin goal is pre mapped with phase
13. Maven Dependency and BOM
● Dependency management is a core feature of Maven
● Direct/Transitive Dependency
● Dependency scope (compile, Provided, Runtime, Test, System, Import)
● Bill of Materials (BOM)
○ A Collection of dependency
○ Best way to manage Dependency with in different project
14. Maven Profiles
● A set of Maven configuration
● Can be activated on demand or automaticaly
● Help to modularize Maven build process
● Define at
○ Per Project (pom.xml)
○ Per User (%USER_HOME%/.m2/settings.xml)
○ Per Global (${maven.home}/conf/settings.xml)
15. Maven Repository
● Central place to store and retrieve artifacts of dependency/plugins
● Artifact categorize as Snapshot or Release
● Local repository (~/.m2)
● Remote repository (https://repo.maven.apache.org)
● 3rd Party Repository proxy software
○ Sonatype Nexus
○ JFrog Artifactory
○ AWS CodeArtifact
17. AWS CodeCommit
● A Hosted Git repository service provided by AWS
● Access control setup using AWS IAM
● Easy to integrate with other AWS Services
18. AWS CodeArtifact
● A Hosted repository service provided by AWS
● Support Maven, NPM, PyPI..
● Access control setup using AWS IAM
● Easy to integrate with other AWS Services
● Securly access package with in VPC (VPC PrivateLink Endpoint)
19. AWS ECR
● A Hosted Container repository service provided by AWS
● Access control setup using AWS IAM
● Easy to integrate with other AWS Services
● Pull through cache repositories
21. Maven Release process
● Overview of Release process
● Maven Release process tasks
○ Project verification for ready to release.
○ Code tagging
○ Version management
○ Project building
○ Release artifact deployment to repository
○ Prepare for the next development version
23. Cool things I have build using Maven
● Count a total line of Code
○ github.com/AlDanial/cloc
● Software bill of material generation
○ CycloneDX (SBOM format)
● Dependency Track Integration
○ Continues vulnerability scanning and alerting
○ Software Supply chain attack
○ Open source license management with SPDX
● License Finder Integration
○ github.com/pivotal/LicenseFinder
26. Maven Best practices
● Separate dependency and build lifecycle
● Increase usage of Maven Dependency BOM
● Use of Parent pom
● Add dependency management on parent pom for Multi Module project
● Always define version on plugins
● Make a use of Profile