When Maven is installed on Debian-based systems via apt, it gets installed in /usr/share/maven, which is not included in the current sandbox exceptions. This patch allows execute so that it will work... hopefully.
If it still doesn't, there is a procedure for determining the complete set of exceptions needed...
Procedure for finding required exceptions
I was holding off on submitting this PR because I wanted to use the find-permissions extension in the phylumio/phylum-ci Docker image first...to confirm there aren't any other exceptions needed for an apt install maven environment. I couldn't get it to work since Docker blocks access to the / root directory for mounting.
The best scenario is having the user run the extension for us, in their environment. The general documentation on this process is here, but here is a custom summary of the steps to do so:
Install the find-permissions extension. The instructions can be further simplified if they don't want to clone the repo...they just need to download/copy the PhylumExt.toml manifest and main.ts files into a directory and install that directory as an extension:
# Create a directory to hold the extension code
mkdir find-permissions
# Download the extension manifest file
curl --proto '=https' --tlsv1.2 -sSfL -o find-permissions/PhylumExt.toml https://raw.githubusercontent.com/phylum-dev/cli/main/extensions/find-permissions/PhylumExt.toml
# Download the extension code
curl --proto '=https' --tlsv1.2 -sSfL -o find-permissions/main.ts https://raw.githubusercontent.com/phylum-dev/cli/main/extensions/find-permissions/main.ts
# Install the extension
phylum extension install --yes ./find-permissions
Create a script (named whatever...I'll call it perm_check.sh) and ensure it is executable. It should contain the lockfile generation command that Phylum uses internally, like this:
#!/usr/bin/bash
# Make sure the shebang line above has the correct path to the active shell
mvn help:effective-pom -Doutput=effective-pom.xml
Run the extension from the same directory as the pom.xml file:
Capture the output and provide it to Phylum engineers. If the extension/script does not run to completion, it may be necessary to identify where it stopped and add entries for those locations (assuming they are trusted):
When Maven is installed on Debian-based systems via
apt, it gets installed in/usr/share/maven, which is not included in the current sandbox exceptions. This patch allows execute so that it will work... hopefully.If it still doesn't, there is a procedure for determining the complete set of exceptions needed...
Procedure for finding required exceptions
I was holding off on submitting this PR because I wanted to use the
find-permissionsextension in thephylumio/phylum-ciDocker image first...to confirm there aren't any other exceptions needed for anapt install mavenenvironment. I couldn't get it to work since Docker blocks access to the/root directory for mounting.The best scenario is having the user run the extension for us, in their environment. The general documentation on this process is here, but here is a custom summary of the steps to do so:
find-permissionsextension. The instructions can be further simplified if they don't want to clone the repo...they just need to download/copy thePhylumExt.tomlmanifest andmain.tsfiles into a directory and install that directory as an extension:perm_check.sh) and ensure it is executable. It should contain the lockfile generation command that Phylum uses internally, like this:pom.xmlfile: