PlantUML supports sprites to be used in diagrams.
A sprite is text encoded monochrome graphic we can reference using the syntax <$spriteName>.
The sprite is defined using hexadecimal values.
We can define a set of hexadecimal values to create our sprite, but we can also generate the correct values from for example a PNG image.
We start with a simple example where we create a small triangle using hexadecimal values:
In a previous post we learned how to use a together block to keep elements together.
We can also layout elements in a different way: using hidden lines.
We define our elements and by using the keyword [hidden] in our line definition the elements are layout as if there was a line, but we don’t see it.
This gives us great flexibility on how we layout our elements.
In the following sample we first have a PlantUML definition where we rely on the default layout:
We have a lot of ways to customize our PlantUML diagrams. We can change the colors and we can even set gradients as color. A gradient has two colors and a direction. The direction of the gradient is set by the separator between the two colors. We can use the following separators to set the gradient direction:
/: direction top left to bottom right
\: direction bottom left to top right
|: direction left to right
-: direction top to bottom
An SQL injection attack consists of insertion or "injection" of a malicious data via the SQL query input from the client to the application. In our example project we have a small Spring Boot based blog application. This application exposes an endpoint to fetch blog articles based on the author:
When we call the endpoint, we will receive:
If a class implements the Closeable interface Groovy adds the withCloseable method to the class.
The withCloseable method has a closure as argument.
The code in the closure is executed and then the implementation of the close method of the Closeable interface is invoked.
The Closeable object is passed as argument to the closure, so we can refer to it inside the closure.
In the following example we have two objects that implement the Closeable interface.
By using withCloseable we know for sure the close method is invoked after all the code in the closure is executed:
When we define a list in Asciidoctor we usually have a list item that is a paragraph.
But if we want to have a block as list item we need to add an extra element to make sure the block is parsed correctly as list item.
Because a list item starts with a . or a * at the beginning of a line and a block also is defined on the beginning of the line, we must add the extra element.
Together with the list item continuation (+) we can have a list with blocks.
In the following example we define a numbered list with three listing blocks:
PlantUML has some features that come from the underlying software to create diagrams.
Graphviz is used by PlantUML and we can use Graphviz features in our PlantUML diagrams.
For example we can align multi-line text of labels to be either center (default), left or right aligned using a Graphviz feature.
When we want to text to be center aligned we simply use the new-line character \n.
If we want to have our text left aligned we use \l instead of \n.
And to right align the text we use \r.
In the following example we have three labels that are center, left and right aligned:
Normally if we type an URL in Asciidoctor that starts with a scheme Asciidoctor knows about, the URL is turned into a hyperlink. The following schemes are recognized by Asciidoctor:
http
https
ftp
irc
mailto
Modern applications development is a mix of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. A study from Black Duck which covers more than 200 applications shows that 95% of the projects use open source libraries (see open source security analysis). Important side note is we only use a fraction of all the libraries imported into a project. Last couple of months some critical issues were found in Struts 2 which enabled attackers to perform a remote-code-execution through a malicious content-type. One way to track whether you are using vulnerable components is to use the OWASP Dependency-Check. This tool uses the National Vulnerability Database to search components for well known published vulnerabilities.
Let’s take a look at the well known Spring Pet Clinic project and integrate OWASP Dependency-Check, first we add the following plugin to the Maven pom.xml:
The plugin supports all kind of configuration items, in this example our build will fail if the Common Vulnerability Scoring System (CVSS) score if above 8.
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.
If we run Dependency-Check the build will fail due to:
If we look at the report we will see the mysql connector has more than 400 CVEs and the build fails due to the CVSS score above 8 (in this case there is even a CVE with CVSS score 10). Based on this score this library should be replaced with a more up-to-date version. Because Dependency-Check offers many ways to integrate into your build pipeline it is easy to get it up-and-running. It is also possible to integrate with Sonar which makes it even more visible to your team.
From time to time you only want to run one test, one test method, one class or one package from the command-line. Or on the contrary: you want to exclude / ignore one specific test or group of tests during the build cycle. Excluding tests from the build cycle by the command line usually occurs when the following scenarios meet:
A test requires significant amount of resources (time, memory, disk space, etc.)
The run needs to be independent from the IDE (to reenact the Continuous Integration / Continuous Delivery pipeline) as some IDEs load test-dependencies on the compile-time class-path.
You have no or limited ability to change the code-base
