.gitlab-ci.yml

@@ -12,13 +12,12 @@ include:
     inputs:
       check-links-job-tags: ["docker"]
       tbc-check-job-tags: ["docker"]
-      tbc-check-image: cicd-docker-dev.artifact.tecnalia.com/tbc-check:master
+      tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
       gitlab-ci-lint-job-tags: ["docker"]
   - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
     inputs:
       kicker-validation-job-tags: ["docker"]
-      schema-base-url: "https://git.code.tecnalia.com/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
-      yajsv-image: "cicd-docker-dev.artifact.tecnalia.com/yajsv:latest"
+      schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
   - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
     inputs:
       bash-shellcheck-job-tags: ["docker"]

CHANGELOG.md

-## [3.11.1](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/maven/compare/3.11.0...3.11.1) (2024-07-26)
+# [4.1.0](https://gitlab.com/to-be-continuous/maven/compare/4.0.2...4.1.0) (2025-01-20)
+
+
+### Features
+
+* **JaCoCo:** add JaCoCo Coverage Reports integration ([1f997a1](https://gitlab.com/to-be-continuous/maven/commit/1f997a18c61d7eb4fe8b9af1ee828893ec70929b))
+
+## [4.0.2](https://gitlab.com/to-be-continuous/maven/compare/4.0.1...4.0.2) (2024-12-29)
+
+
+### Bug Fixes
+
+* use --pkg-types instead of deprecated --vuln-type ([131a821](https://gitlab.com/to-be-continuous/maven/commit/131a821501a6140f9726fa75beb7e18f2c5f5d6f))
+
+## [4.0.1](https://gitlab.com/to-be-continuous/maven/compare/4.0.0...4.0.1) (2024-12-10)
+
+
+### Bug Fixes
+
+* add Git branch slug in SNAPSHOT versions for Merge Request ([afcc0b0](https://gitlab.com/to-be-continuous/maven/commit/afcc0b0ccbc09118264412e3075ee8003bcb1dbc))
+
+# [4.0.0](https://gitlab.com/to-be-continuous/maven/compare/3.11.4...4.0.0) (2024-11-26)
+
+
+### Code Refactoring
+
+* **jib/trivy:** enforce usage of Trivy environment variables ([e62f19e](https://gitlab.com/to-be-continuous/maven/commit/e62f19e98367595b58f07d9275371f75697dc33c))
+
+
+### BREAKING CHANGES
+
+* **jib/trivy:** 2 Trivy configuration params removed in favor of the native Trivy environment variables
+
+## [3.11.4](https://gitlab.com/to-be-continuous/maven/compare/3.11.3...3.11.4) (2024-10-24)
+
+
+### Bug Fixes
+
+* set trivy artifact expiration ([fe96b4a](https://gitlab.com/to-be-continuous/maven/commit/fe96b4ae9b2bff3fe803e5aa47ff670c6eccd38f))
+
+## [3.11.3](https://gitlab.com/to-be-continuous/maven/compare/3.11.2...3.11.3) (2024-10-04)
+
+
+### Bug Fixes
+
+* **release:** support full semantic-versioning specifcation (with prerelease and build metadata) ([3d627c0](https://gitlab.com/to-be-continuous/maven/commit/3d627c0a462e898b4502c515e59b38efc14ee499))
+
+## [3.11.2](https://gitlab.com/to-be-continuous/maven/compare/3.11.1...3.11.2) (2024-09-10)
 
 
 ### Bug Fixes
 
-* **jib:** correct the artifacts paths and reports definition ([bbde711](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/maven/commit/bbde711e6d8566ee93da393c35bcfb3fdd0c5a2d)), closes [#62](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/maven/issues/62)
+* Add fail function. fixes [#67](https://gitlab.com/to-be-continuous/maven/issues/67) ([31c979c](https://gitlab.com/to-be-continuous/maven/commit/31c979caece4f247b34477e6cab37158ea29eae4))
 
 ## [3.11.1](https://gitlab.com/to-be-continuous/maven/compare/3.11.0...3.11.1) (2024-07-15)
 

README.md

@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
   # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@3.11.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
     # 2: set/override component inputs
     inputs:
       # ⚠ this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
   # 1: include the template
   - project: 'to-be-continuous/maven'
-    ref: '3.11.1'
+    ref: '4.1.0'
     file: '/templates/gitlab-ci-maven.yml'
 
 variables:
@@ -90,14 +90,15 @@ to compute code coverage during unit tests execution.
 
 In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ee/ci/testing/code_coverage.html#view-code-coverage-results-in-the-mr) (report badge and viewable coverage in merge requests).
 
-If yo want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the
+If you want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the
 [JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html) in your `pom.xml`, but be aware of the
 following:
 
 * do not declare JaCoCo executions for `prepare-agent` and `report` goals as each would run twice during
   unit tests (not necessarily with the expected configuration). If you really need to do so anyway, you'll have to
   override the `$MAVEN_BUILD_ARGS` variable to remove the explicit invocation to JaCoCo goals.
-* make sure the `report` goal computes a CSV report, that is used by the Maven template to compute the global coverage stat.
+* make sure the `report` goal computes a CSV report (that's default behavior), that is used by the Maven template to compute the global coverage stat,
+* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization/jacoco.html).
 
 More info:
 
@@ -490,11 +491,17 @@ The template uses GitLab registries and authentication defaults. See the Docker
 | -------------------------------------- | ------------------------ | ------------------------------------------------- |
 | `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
 | `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials  | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java`          |
-| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
 | `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning  | `registry.hub.docker.com/aquasec/trivy:latest` |
 | `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
 | `mvn-trivy-job-tags` / `MVN_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
 
+Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
+Examples:
+
+* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
+* `TRIVY_SERVER`: server address (enables client/server mode)
+* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
+* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
 
 ##### Jib build and publish configuration
 
@@ -536,7 +543,7 @@ All authentication methods should use masked GitLab environment variables.
 ```yaml
 include:
   # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@3.11.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
   # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@3.11.1
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.1.0
 ```

bumpversion.sh

@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
   log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
 
   # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
   mv -f README.md.next README.md
 
   # replace in template and variants

kicker.json

@@ -119,7 +119,7 @@
         },
         {
           "name": "SONAR_TOKEN",
-          "description": "SonarQube authentication token (see https://docs.sonarqube.org/latest/user-guide/user-token/) - depends on your authentication method",
+          "description": "SonarQube authentication token (see https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) - depends on your authentication method",
           "secret": true
         },
         {
@@ -134,13 +134,13 @@
         },
         {
           "name": "SONAR_BASE_ARGS",
-          "description": "SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)",
+          "description": "SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)",
           "default": "sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues",
           "advanced": true
         },
         {
           "name": "SONAR_QUALITY_GATE_ENABLED",
-          "description": "Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._",
+          "description": "Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._",
           "type": "boolean"
         }
       ]
@@ -273,7 +273,7 @@
         {
           "id": "mvn-trivy",
           "name": "Maven Trivy",
-          "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+          "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
           "disable_with": "MAVEN_TRIVY_DISABLED",
           "variables": [
             {
@@ -282,28 +282,10 @@
               "default": "registry.hub.docker.com/aquasec/trivy:latest",
               "advanced": true
             },
-            {
-              "name": "MAVEN_TRIVY_ADDR",
-              "type": "url",
-              "description": "The Trivy server address"
-            },
-            {
-              "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
-              "type": "enum",
-              "values": [
-                "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-                "LOW,MEDIUM,HIGH,CRITICAL",
-                "MEDIUM,HIGH,CRITICAL",
-                "HIGH,CRITICAL",
-                "CRITICAL"
-              ],
-              "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
-              "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-            },
             {
               "name": "MAVEN_TRIVY_ARGS",
-              "description": "Additional `trivy client` arguments",
-              "default": "--ignore-unfixed --vuln-type os",
+              "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
+              "default": "--ignore-unfixed --pkg-types os",
               "advanced": true
             }
           ]

templates/gitlab-ci-maven-jib.yml

@@ -32,22 +32,9 @@ spec:
     trivy-image:
       description: The docker image used to scan images with Trivy
       default: registry.hub.docker.com/aquasec/trivy:latest
-    trivy-addr:
-      description: The Trivy server address
-      default: ''
-    trivy-security-level-threshold:
-      description: 'Severities of vulnerabilities to be displayed (comma separated values:
-        `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
-      options:
-      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-      - LOW,MEDIUM,HIGH,CRITICAL
-      - MEDIUM,HIGH,CRITICAL
-      - HIGH,CRITICAL
-      - CRITICAL
-      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
     trivy-args:
-      description: Additional `trivy client` arguments
-      default: --ignore-unfixed --vuln-type os
+      description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
+      default: --ignore-unfixed --pkg-types os
     sbom-image:
       default: registry.hub.docker.com/anchore/syft:debug
     sbom-opts:
@@ -78,8 +65,8 @@ spec:
 variables:
   MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
   MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
-  MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
   MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+  MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
   MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
   MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
   MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
@@ -87,8 +74,6 @@ variables:
   MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
   MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
   MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
-  MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
-  MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
 
 .mvn-jib-scripts: &mvn-jib-scripts |
   # BEGSCRIPT
@@ -187,26 +172,22 @@ mvn-trivy:
     export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
     export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
     mkdir -p ./reports
-    if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then
-      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
-      trivy image --download-db-only
-      export trivy_opts="image"
-    else
-      log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
-      export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
+    if [[ -z "$TRIVY_SERVER" ]]; then
+      log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
     fi
-    # Add common trivy arguments
-    export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"
-    # GitLab format (no fail)
-    trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE
-    # JSON format (no fail)
-    if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
-    then
-      trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE
-    fi
-    # console output (fail)
-    trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
+    # Generate the native JSON report that can later be converted to other formats
+    trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?
+
+    # Generate a report in the GitLab format
+    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json
+
+    # console output
+    trivy convert --format table reports/jib-trivy-${basename}.native.json
+
+    exit $exit_code
   artifacts:
+    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 day
     when: always
     paths:
     - "reports/jib-trivy-*"

templates/gitlab-ci-maven.yml

@@ -53,18 +53,18 @@ spec:
       description: SonarQube server url
       default: ''
     sonar-base-args:
-      description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
+      description: SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)
       default: >-
         sonar:sonar
         -Dsonar.links.homepage=${CI_PROJECT_URL}
         -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
         -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
     sonar-quality-gate-enabled:
-      description: 'Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/)
+      description: 'Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/)
         verification.
 
 
-        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._'
+        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._'
       type: boolean
       default: false
     dependency-check-disabled:
@@ -221,7 +221,7 @@ variables:
   # default integration ref name (pattern)
   INTEG_REF: '/^develop$/'
   # default release tag name (pattern)
-  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+$/'
+  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'
   # default configuration directory
   MAVEN_CFG_DIR: $[[ inputs.cfg-dir ]]
   # default settings.xml file path
@@ -235,8 +235,8 @@ variables:
   # Maven build arguments
   MAVEN_BUILD_ARGS: $[[ inputs.build-args ]]
   # Sonar base analysis default args
-  # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
-  # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
+  # see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
+  # default uses branch analysis: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/branch-analysis/introduction/
   SONAR_BASE_ARGS: $[[ inputs.sonar-base-args ]]
   # Dependency Check arguments
   MAVEN_DEPENDENCY_CHECK_ARGS: $[[ inputs.dependency-check-args ]]
@@ -289,6 +289,11 @@ stages:
       echo -e "[\\e[1;91mERROR\\e[0m] $*"
   }
 
+  function fail() {
+    log_error "$*"
+    exit 1
+  }
+
   function output_coverage() {
     jacoco_reports=$(find . -name "${JACOCO_CSV_REPORT:-jacoco.csv}")
 
@@ -606,12 +611,12 @@ stages:
 
   # only on a branch commit, with deploy and "SNAPSHOT with slug" enabled
   function maybe_inject_slug_in_version() {
-    if [[ "$CI_COMMIT_BRANCH" ]] && [[ "$MAVEN_DEPLOY_ENABLED" == "true" ]] && [[ "$MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED" == "true" ]]
+    if [[ -z "$CI_COMMIT_TAG" ]] && [[ "$MAVEN_DEPLOY_ENABLED" == "true" ]] && [[ "$MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED" == "true" ]]
     then
       # check if on non-prod branch
       prod_ref_expr=${PROD_REF#/}
       prod_ref_expr=${prod_ref_expr%/}
-      if [[ ! "$CI_COMMIT_BRANCH" =~ $prod_ref_expr ]]
+      if [[ ! "$CI_COMMIT_REF_NAME" =~ $prod_ref_expr ]]
       then
         # shellcheck disable=SC2086
         pom_version=$(mvn $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args help:evaluate -Dexpression=project.version -q -DforceStdout | tail -n 1)
@@ -633,7 +638,7 @@ stages:
   image: $MAVEN_IMAGE
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "maven", "3.11.1"]
+      command: ["--service", "maven", "4.1.0"]
   before_script:
     - !reference [.mvn-scripts]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
@@ -664,6 +669,9 @@ mvn-build:
     reports:
       junit:
         - "${MAVEN_PROJECT_DIR}/**/target/*-reports/TEST-*.xml"
+      coverage_report:
+        coverage_format: jacoco
+        path: "${MAVEN_PROJECT_DIR}/**/target/site/jacoco/jacoco.xml"
     paths:
       # version may have been altered
       - "${MAVEN_PROJECT_DIR}/**/pom.xml"
@@ -675,7 +683,7 @@ mvn-sonar:
   stage: test
   extends: .mvn-base
   variables:
-    # see: https://docs.sonarqube.org/latest/analysis/gitlab-integration/#header-4
+    # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/
     SONAR_USER_HOME: "${CI_PROJECT_DIR}/${MAVEN_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
     GIT_DEPTH: 0 # Tells git to fetch all the branches of the project, required by the analysis task
   cache: