From ebc7157030f01f5c5dac171a2a6598ab690f72d0 Mon Sep 17 00:00:00 2001
From: Navaneeth Mysore Govindarajan <nmysore@sonatype.com>
Date: Tue, 13 Feb 2024 13:36:25 -0500
Subject: [PATCH] Review

---
 pom.xml   | 39 +++++++++++----------------------------
 readme.md |  9 +++++----
 2 files changed, 16 insertions(+), 32 deletions(-)

diff --git a/pom.xml b/pom.xml
index e472e2605..1ab4d96ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,6 @@
     <clm.serverUrl>http://ec2-107-23-150-171.compute-1.amazonaws.com:8070/</clm.serverUrl>
     <clm.serverId>ec2-107-23-150-171.compute-1.amazonaws.com</clm.serverId>
     <clm.stage>stage-release</clm.stage>
-    <clm.skip>false</clm.skip>
 
     <!-- Generic properties -->
     <java.version>17</java.version>
@@ -149,28 +148,6 @@
 
   <build>
     <plugins>
-      <!--
-      Demo: Copy dependencies so runtime-agent.jar location is know for -javaagent and also helps with iq-cli scans.
-      -->
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-dependency-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>dependency-copy-dependencies</id>
-            <phase>generate-resources</phase>
-            <goals>
-              <goal>copy-dependencies</goal>
-            </goals>
-            <configuration>
-              <outputDirectory>${project.build.directory}/lib</outputDirectory>
-              <stripVersion>false</stripVersion>
-              <includeScope>compile</includeScope>
-            </configuration>
-          </execution>
-        </executions>
-      </plugin>
-
       <!-- Demo: CLM plugin -->
       <plugin>
         <groupId>com.sonatype.clm</groupId>
@@ -179,13 +156,19 @@
         <configuration>
           <applicationId>${artifactId}</applicationId>
           <stage>stage-release</stage>
-          <skip>true</skip>
         </configuration>
         <executions>
           <execution>
-            <phase>package</phase>
+            <id>sonatype-prepare</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>evaluate</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>sonatype-reevaluate-after-run</id>
+            <phase>prepare-package</phase>
             <goals>
-              <goal>index</goal>
               <goal>evaluate</goal>
             </goals>
           </execution>
@@ -211,8 +194,8 @@
             -Dsonatype.runtime.agent.iq.protocol=http
             -Dsonatype.runtime.agent.iq.host=ec2-107-23-150-171.compute-1.amazonaws.com
             -Dsonatype.runtime.agent.iq.port=8070
-            -Dsonatype.runtime.agent.iq.user=IQ_USER
-            -Dsonatype.runtime.agent.iq.password=IQ_PASSWORD
+            -Dsonatype.runtime.agent.iq.user=${env.IQ_USER}
+            -Dsonatype.runtime.agent.iq.password=${env.IQ_PASSWORD}
             -Dsonatype.runtime.agent.iq.applicationId=spring-petclinic-runtime-agent
             -Dsonatype.runtime.agent.isIqApplicationIdPublic=true
             -Dsonatype.runtime.agent.blockedRunOnStartup=true
diff --git a/readme.md b/readme.md
index 3f49a71a2..bfd6ff3ee 100644
--- a/readme.md
+++ b/readme.md
@@ -14,7 +14,8 @@ Spring Petclinic is a [Spring Boot](https://spring.io/guides/gs/spring-boot) app
 git clone https://github.com/spring-projects/spring-petclinic.git
 cd spring-petclinic
 
-# This runs the integration tests which invoke vulnerable methods and the runtime labels set in IQ on:
+# This runs the integration tests which will invoke some vulnerable methods as part of tests coverage and the
+# runtime labels set in IQ on:
 # - ch.qos.logback : logback-core : 1.4.11
 # - ch.qos.logback : logback-classic : 1.4.11
 # - org.springframework : spring-core : 6.1.1
@@ -22,7 +23,7 @@ cd spring-petclinic
 
 # Note: Change the path the runtime-agent-1.0.7.jar as necessary
 # After starting the app, by navigating to http://localhost:8080/vets.html invokes vulnerable method call.
-# This will log the method call and set the runtime labels in IQ. 
+# This will log additional vulnerable method calls that were not covered by unit tests and sets the runtime labels in IQ.
 # If the label is already set due to integration tests, it will log as such. 
 # If needed, the labels can be deleted manually in IQ before starting the app.
 java -javaagent:../runtime-agent-1.0.7.jar \
@@ -31,8 +32,8 @@ java -javaagent:../runtime-agent-1.0.7.jar \
   -Dsonatype.runtime.agent.iq.protocol=http \
   -Dsonatype.runtime.agent.iq.host=ec2-107-23-150-171.compute-1.amazonaws.com \
   -Dsonatype.runtime.agent.iq.port=8070 \
-  -Dsonatype.runtime.agent.iq.user=IQ_USER \
-  -Dsonatype.runtime.agent.iq.password=IQ_PASSWORD \
+  -Dsonatype.runtime.agent.iq.user=${IQ_USER} \
+  -Dsonatype.runtime.agent.iq.password=${IQ_PASSWORD} \
   -Dsonatype.runtime.agent.iq.applicationId=spring-petclinic-runtime-agent \
   -Dsonatype.runtime.agent.isIqApplicationIdPublic=true \
   -Dsonatype.runtime.agent.blockedRunOnStartup=true \