Deploying ZAP’s Java client API to the Central Repository

[Thiago Porciúncula]

Hi,

Is there any specific reason for us not to publish ZAP’s Java client API to the Maven Central Repository (apart from it being automatically generated and a non-Maven project)?

It is a little bit painful for Maven users to work with ZAP’s Java API. But what concerns me more is this: let’s say a great project is developed from the Java API. Since the API isn’t deployed in a public repository, this great project won’t be able to be deployed as well (or will, but it will be way more complicated than it could be).

If we could generate the API and then throw the generated files in a separate Maven project, I believe we’d be able to deploy it and keep an up to date public artifact with little to no effort. I might be wrong, though :)

I took the liberty to start such a project here. I put there all the classes from org.zaproxy.clientapi.* packages and added the dependencies to JDOM 1.1.1 and Ant 1.8.4 (which seem to be the only dependencies needed). I've tested it and everything seems to be working fine so far. Is there any other classes I must include? The JAR (with dependencies) ended up being almost 3x lighter than the current API JAR file.

There is some work to do now in order to deploy the project. But first I want to make sure we agree that this is a good step to take.

What you guys think?

Useful link:

Guide to uploading artifacts to the Central Repository

--

Thiago Porciúncula

[Thiago Porciúncula]

I just realized there is an empty repository under zaproxy called zap-api-java. If we proceed, should we proceed there instead?

--

Thiago Porciúncula

[Thiago Porciúncula]

Does anyone have an opinion about this? if not, I'll proceed to deploy the API to the Central Repository.

The coordinates I intend to use are:

- groupId: org.zaproxy

- artifactiId: zap-api

- version: I'll keep the same version description used (i.e. 2.4-v6, which is the current)

The project is hosted here:

https://github.com/pdsoftplan/zap-java-api

On Friday, November 6, 2015 at 7:18:18 PM UTC-2, Thiago Porciúncula wrote:

[psiinon]

Yes I do :)
Sorry, been snowed under recently (which isnt a huge change).
Been meaning to reply to this thread since you started it - I'll do my best to do so tomorrow!

Cheers,

Simon

[Thiago Porciúncula]

Ok, thanks!

--

Thiago Porciúncula

[Thiago Porciúncula]

Ok, thanks!

On Tuesday, November 10, 2015 at 4:19:23 PM UTC-2, psiinon wrote:

[psiinon]

OK, so the plan is to Mavenize ZAP _and_ publish both the ZAP core jar and the API jar to Maven Central. Possibly all of the add-ons as well.
A fair amount of work has already been done towards this, but unfortunately we do keep getting distracted, eg by the need to release 2.4.3 :/
We have registered a ZAP account with Maven Central - please dont publish any ZAP artifacts to Maven Central that look like they're official - eg using org.zaproxy or org.owasp
Using unrelated GroupId's is fine of course, as a couple of projects have already done: http://search.maven.org/#search|ga|1|zap
We will get there, but I dont have a proposed date yet, and it definitely wont be before  2.4.3 ;)

Cheers,

Simon

[Thiago Porciúncula]

The plan is actually less ambitious. My intention is to Mavenize and publish only the Java API. Mavenizing and publishing ZAP as a whole would be cool (and definitely hard), but what is crucial for me is to deploy the API, since it is a common dependency for any project that wants to play with ZAP.

What I want to do:

- Copy all the API related classes to a separate Maven project (already done);

- Deploy this project to the Central Repository.

What I will achieve with that:

- Developers will be able to play with ZAP by adding a dependency on their POM, without having to manually download the API JAR and manually adding it somehow to their project;

- This also makes it easier to use any application that might have the ZAP Java API as a dependency (i.e. all the ZAP Maven plugins made so far had this annoying step where you had to install the API JAR to your local repository).

This is a big deal for me (and I'd believe that most Maven devs would agree). But maybe it's just me :)

I believe using an official-like groupId would be better because this would be, indeed, the official API without any modification. That's actually why I posted here in the first place, so we could have the official API deployed.

The process for deployment is trivial and woudn't take any significant effort, so the responsible for the ZAP account with Maven Central could probably handle it.

If you think this is interesting for ZAP (I do!), just let me know so we can discuss further the best strategy to make it happen.

[psiinon]

I definitely agree that this would be really useful :)
And starting with the API sounds like a good plan, and thats very likely to be the way we do it.
However we do need to make sure we do it right, and right now we are focusing on ZAP 2.4.3.
We will not be publishing the API to Maven Central before we release 2.4.3 - its too much of a distraction.
But it should be one of the first things we look at after 2.4.3 is out :)
So yes, really interested in this, and we'll ping you directly once we release 2.4.3.

Many thanks,

Simon

[Thiago Porciúncula]

Ok! ZAP 2.4.3 is definitely more important :)

[psiinon]

If we dont get back to you once its out then _do_ hassle us - been meaning to get the API (plus ZAP) on Maven Central for ages - its long overdue!

[Thiago Porciúncula]

Ok!

[Thiago Porciúncula]

Hey!

ZAP 2.4.3 is out, so here I am hassling you guys :)

I just want to let you know I'm willing to help however I can to deploy ZAP's API to Maven Central. As I said before, my main intention with this topic was to mavenize only ZAP's Java API, although mavenizing ZAP as a whole would also be cool (and hard). However, I believe focusing only on the API would be a good first step to take.

The first step for this first step would be to isolate the Java API as a new Maven project, so it could be deployed as a Maven artifact. This project would include all classes within org.zaproxy.clientapi.* and It would be nice if it gathered the classes responsible for the API generation as well. 

What you think?

Thanks!

[psiinon]

Good prompt :)

Yes, we want to at the very least publish the ZAP java client to Maven Central, and ideally completely Mavenize ZAP.
We've got a few more things to tidy up but this is getting very close to the top of the priority list.
One of us should contact you directly about this very soon.
If not .. keep hassling us here!

Many thanks,

Simon

[Thiago Porciúncula]

Ok!

My main concern was to have the ZAP API deployed at the Maven Central so I could deploy our Maven plugin as well (pointing to ZAP API as a dependency). But I just put the API classes inside the plugin and it's all good now :P

Thanks!