Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page

Was this helpful?

  1. Codebase scanner
  2. Guide: your first scan!

Your first scan (java thin client)

How to use the dockerized client to execute your first scan

PreviousGuide: your first scan!NextYour first scan (dockerized client)

Last updated 2 years ago

Was this helpful?

The thin client requires a 1.8+ to run and does not include any standard SDK that is usually needed to produce the dependencies graph of your application. For example, if you want to analyse a Java project based on Maven, then Maven will have to be installed on your machine. The same happens if you want to analyse a .NET project: the .NET SDK will have to be installed and correctly configured on the machine you are running the client from. We expect developers to have their tools on their machines :) but in case they do not, please prefer using the, which includes also all the necessary tools.

This guide assumes you are working on a *nix environment: if you are using windows, please refer to the page .

1. download the Java Thin Client from the Meterian cloud

curl https://www.meterian.io/downloads/meterian-cli.jar > ~/meterian-cli.jar

2. set up the METERIAN_API_TOKEN environment variable with one of , or create a new one. We also suggest you add this to your

export METERIAN_API_TOKEN=your-token-uuid-here

3. launch the client once to validate everything is working properly (note: the first time the thin client may also be downloaded)

java -jar ~/meterian-cli.jar --version 

Meterian Client v1.2.24.5, build 51bcad7-764

4. move into the folder you have your codebase and execute the client

java -jar ~/meterian-cli.jar

© 2017-2022 Meterian Ltd - dockerized version 2.3.53.699
Meterian Client v1.2.24.5, build 51bcad7-764
© 2017-2022 Meterian Ltd - All rights reserved

System information:
- running locally:   yes
- interactive mode:  off
- working on folder: /home/john/projects/zxing
- autofix mode:      off

Checking folder...
Folder /workspace contains a viable project!

Authorizing the client...
Client successfully authorized

Account: "Acme Team Account"
- Minimum scores:  
  - security:  90
  - stability: 90
  - licensing: 90
- Analysis scopes:  
  - security:  packaged components
  - stability: all components
  - licensing: all components

Project information:
- url:    https://github.com/zxing/zxing
- branch: local
- commit: 708b14bef82a087dd0fefbada81398dd2100366c

Java scan - running maven locally...
- maven: loading dependency tree...
- maven: loading dependency tree (alternate)...
- maven: dependencies generated...
Execution successful!

Uploading dependencies information - 23 found...
Done!

Starting build...
Current build status: initialized - the project has been classified as opensource
Current build status: in preparation
Current build status: process advices at 2022-06-13T15:41:33.660

Final results: 
- security:	85	(minimum: 90)
- stability:	98	(minimum: 90)
- licensing:	100	(minimum: 90)

Full report available at: 
https://www.meterian.com/projects/?pid=...&branch=local&mode=eli

Build unsuccessful!
Failed checks: [security]

You can also setup a simple script that will automatically update your client if required:

#!/bin/sh 
curl -s -o "~/meterian-cli.jar" -z "~/meterian-cli.jar" "https://www.meterian.io/downloads/meterian-cli.jar" >/dev/null
java -jar ~/meterian-cli.jar $* 

All done! You can click on the link and see the final report in HTML. you can also ask the system to generate, for example, a console report adding to the command "--console-report" to see immediately all the information. To learn more about it, see the section "".

Java Runtime Environment
dockerized version of the client
"Use the thin client on Windows"
tokens available in the account
.bashrc
Command line parameters