Fortify – [error]: Build ID doesn’t exist.

[error]: Build ID doesn’t exist.Error invoking sourceanalyzer. Exit code: 1.
This was the strange error we kept seeing today on the Jenkins server when using Fortify to scan projects. All the jobs which were running successfully failed miserably.

Even having the source code for the Maven plug-in didn’t help much.

 Spent a few hours trying various things, and at one point I decided to just run the translate command. The translate was running fine, which made me wonder that something isn’t right here.
Fortify kept complaining that the Build ID doesn’t exist. Translate also requires the use of Build ID which made we wonder something was going wrong. When I just ran the translate, and looked at the log file it generates, the culprit was hidden there. “No space left on device”. See screen shot below:

Fortify was configured to use the default working directory and project root. The disk was full, and translate didn’t throw an exception. The stack trace was hidden in the log file. Once the default working folder was changed, all jobs started running successfully.
There are basically two options available:
1. Change the values to a mount which has more space.
com.fortify.WorkingDirectory=/your/tmp/dir/fortify
com.fortify.sca.ProjectRoot=/your/tmp/dir/fortify
2. Use the Jenkins workspace folder, so you can clear the workspace at regular intervals
com.fortify.WorkingDirectory=.yourjenkinsworkspace
com.fortify.sca.ProjectRoot=.yourjenkinsworkspace

Maven Fortify Plugin - Getting Help

Developers and security analysts have trouble getting the Fortify Maven plugin up and running. Even if the basic commands for translate, and scan work, I have seen them having trouble understanding the various options available to configure how the projects gets scanned.

Adding the Fortify Maven plugin is as simple as adding the following lines to your POM file. This is again optional, and in many cases if you specify the full path, you don't even have to add the following lines to all your POM.

If you don't have the source for the Plugin and you want to find out what are the configuration options which can be specified for the plugin, use the mvn help:describe command. If you want to see the options for the maven-sca-plugin shown above, use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Doutput=mvn-help.txt

The text file would have all the detailed information available to use with the goals.

To get help information for a specifc MOJO or a Maven goal use the following command:
mvn help:describe -DgroupId=com.fortify.ps.maven.plugin -DartifactId=maven-sca-plugin -Dversion=3.50 -Ddetail=true -Dgoal=scan -Doutput=mvn-help-scan.txt

jmap & Windows7

In spite of using Java for several decades now, I had never used jmap. jmap is a JDK tool used for dumping the heap memory details of a process. jmap worked with no problems at all on the Ubuntu machine which had OpenJDK installed.

However, as soon as I tried using the same commands on my Windows 7 machine, the command just didn't do anything. I did search online and found no references on why it doesn't work the way it is supposed to on Windows. Didn't spend too much time finding what the root cause was either. The workaround is sufficient for me. :)

So, lets see how to get this jmap working on Windows.

Step 1:
Open a command window and start any Java program you have. Make sure it runs for a while so you can use this process ID to get the heap dump.

Step 2:
Run the jps command to get the process ID's. jps is the Java Virtual Machine Process Status Tool.

Step 3:
Now that you have the process ID's for the applications running, start the jmap command on another command prompt. This is where things get interesting.

 

jmap should have worked here, since it is in the path. However, it doesn't dump the heap and keeps displaying the usage instructions.

I tried several options, none seemed to work.

Step 4:

At this point, I decided to run the jmap command from the bin folder of the JDK to see if anything changes.

And like a charm, jmap dumped the contents of the heap.

Step 5:
Once you have the contents of the heap, use jhat the Java Heap Analysis Tool to view and browse through the heap dump file.

Below are links for the various JDK Tools:

1. jmap
2. jps
3. jhat

SONAR Ant Task

I am using Sonar for code analysis. While writing some custom Ant build scripts for SONAR since we have an Ant task now, I was constantly seeing the following error message. I followed the steps listed on Sonar here:
http://docs.codehaus.org/display/SONAR/Analyzing+with+Sonar+Ant+Task 

The build file I created was as such:

However, every time I tried the task I kept getting the following exception:

A small change in the build file, and the Analysis ran like a charm:

Sonar OWASP Plug-in

I have done several demos to clients on Sonar. Last week, I did a Brown Bag @ Cigital on Sonar. As I was preparing the Virtual Machine which I created for Sonar, I noticed the OWASP Plug-in. I downloaded the trial version and ran analysis on a few projects.

As I was doing the demo, several of our Consultants @ Cigital had tons of questions about how this plug-in worked. Remember, Cigital helps companies improve the security of our clients most reliable applications. :)

I promised to look in detail within this plug-in to see what engine was running behind the scenes, how they mapped the OWASP Top 10 vulnerabilities and so on.

Over the last 5 years, I have used several tools for running scans on various languages. I have used tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify. I was of the impression that this Plug-in was built with a powerful engine which compared to the tools I mentioned. I was really disappointed to see that it doesn't have any engine to find security vulnerabilities. The plug-in just maps rules from FindBugs, PMD and CheckStyle to the OWASP Top 10 rules.It has an XML file and you can map the rules within this file.

It gives you a false sense of security when you see the OWASP Factor Risk. The sample project I scanned using this plug-in has all the OWASP Top 10 vulnerabilities like Cross-Site Scripting, SQL Injection, Command Injection and many more. And this plug-in wasn't able to find any of these vulnerabilities. It is just a mapping of a few rules mapped to FindBugs, PMD and CheckStyle.

The idea behind this Plug-in is really great. However, if the engine can be improved behind the scenes, or if the plug-in can parse results from one of the SCR tools like Coverity, IBM's AppScan Source Edition, and HP's Fortify than there is real value to the plug-in.

You can find more details about Sonar and the OWASP Plug-in at the links provided below:

• Sonar
• OWASP Sonar Plug-in

Deleting a project from Sonar

I have been using Sonar for several years now. However, I never deleted any project. So, when one of my colleagues asked me how to delete a project from Sonar, I had to spend a few minutes looking for the same.

It is quite easy to delete a project from Sonar.Listed below are the steps to delete a project.

1. Login into Sonar as an Administrator.

2. Next, click on the project you want to delete.

3. Click on the "Project Deletion" link on the left hand side. Highlighted in red in the above image.

4. Click on the "Delete Project" button. The operation cannot be undone.

Packt Publishing Publishes 1000 Titles

I have read  and reviewed several books from Packt Publishing. I read several books and reading books from various publishers definitely brings variety.

Packt would like you to join them in celebrating this milestone with a surprise gift. Revisit Packt’s website between the 28th and 30th of September to redeem your gift, or sign up for an account with us now to receive a notification email.

Packt supports many of the Open Source projects covered by its books through a project royalty donation, which has contributed over $400,000 to Open Source projects. As part of the 1000th book celebration Packt is allocating $30,000 to share between projects and authors.

If you are interested in  reading books, go ahead and signup and get a surprise gift. It maybe a book which you always wanted to read.

Check out all the details from Packt at their website : http://www.packtpub.com/

FindBugs Custom Detector -Build Failure - com.sun.tools.javac.code.Symbol$CompletionFailure

I was working today on a plug-in for FindBugs, writing CustomDetectors for finding some security vulnerabilities. I was able to compile the project and create the plug-in in Eclipse IDE. However, when I started working on creating a basic Ant build file, the compile target failed miserably. The error I was seeing in the Eclipse IDE was:

Buildfile: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml

clean:

init:

compile:

    [javac] C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds

    [javac] Compiling 8 source files to C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\bin

    [javac] An exception has occurred in the compiler (1.6.0_24). Please file a bug at the Java Developer Connection (http://java.sun.com/webapps/bugreport)  after checking the Bug Parade for duplicates. Include your program and the following diagnostic in your report.  Thank you.

    [javac] com.sun.tools.javac.code.Symbol$CompletionFailure: class file for javax.annotation.meta.When not found

BUILD FAILED

C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: Compile failed; see the compiler error output for details.

Total time: 1 second

A quick search on the web, and after adding the jsr305.jar to the classpath, the compilation error was gone.

Buildfile: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml

clean:

init:

compile:

    [javac] C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\build.xml:32: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds

    [javac] Compiling 8 source files to C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\bin

jar:

      [jar] Building jar: C:\Users\msubbarao\workspace\FindBugs_Cigital_Plugin\FindBugs_Cigital_Plugin.jar

     [copy] Copying 1 file to C:\dev\eclipse\plugins\edu.umd.cs.findbugs.plugin.eclipse_2.0.1.20120712\plugin

BUILD SUCCESSFUL

Total time: 1 second

For more details on FindBugs visit, FindBugs Site.

Stay tuned for detailed posts on how to write CustomDetectors for FindBugs. 

Security Consultants Needed @ Cigital

Cigital Inc, a company I have been working at for the past 3 and 1/2 years, is rapidly expanding and eager to hire.

So if you have any interest in software security, comment below and I will give you more information about all the opportunities currently available at Cigital. And for all those who love to travel, Cigital has many many opportunities that involve traveling.

Please feel free to forward this announcement to all your fellow software friends and family.

Cigital  has offices at several locations all across the world. A few are listed below:
In USA at Dulles, VA, New York, NY, San Jose, CA,. In Europe at London, UK, Amsterdam, Paris, France and Geneva, Switzerland area.

Cigital Announces BSIMM3

Cigital, the company I work for, today announced the third major release of the "Building Security In Maturity Model" (BSIMM) study. BSIMM3 continues to add real-world data defining benchmarks for successfully developing and operating an enterprise software security initiative. The study reveals that firms participating in the BSIMM project show measurable improvement in their software security initiatives over time.

BSIMM3 is a multi-year study of real-world software security initiatives, based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.

The BSIMM3 study provides insight into forty-two of the most successful software security initiatives in the world, identifying activities used by these organizations to effectively plan, structure, and execute the evolution of a software security initiative.

Originally launched in March 2009, the BSIMM is the industry's first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3, released today, covers forty-two firms representing a range of eight overlapping verticals including: financial services (17), independent software vendors (15), technology firms (10), telecommunications (3), insurance (2), energy (2), media (2) and healthcare (1). The current release includes 109 thoroughly updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.


Some highlights for the third major release of the BSIMM:
• BSIMM3 now includes 42 firms
• BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity
• 11 firms have been measured twice (providing Longitudinal Study data) and the data show measurable improvement
• The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
• BSIMM3 reveals that leading firms on average employ two full time software security specialists for every 100 developers
• BSIMM3 results show that mature software security initiatives are well rounded, with activities in all twelve practices including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing, and configuration management.


For more information and to access the BSIMM3 study, which is distributed free of charge under the Creative Commons, please visit: http://bsimm.com/

EJB 3.1 Cookbook - Review

Title: EJB 3.1 Cookbook

Author: Richard.M.Reese

Publisher: Packt

I received this book to review some time in June this year. Just two days after I received the book, we had to travel to India due to the sudden death of my Mother-in-law.
I came back from India, and was swamped with work for several weeks. Finally, this weekend I had some time to sit in front of my laptop and work on the review.

 I usually don't agree to review any books due to my busy schedule. However, took this offer just because it was a book on my favorite technology, EJB's.

The book covers the latest EJB version, 3.1. Like the name suggests it is a cookbook with lots of examples. If you are already familiar with using EJB and want to know new features of 3.1 than I would recommend you to go ahead and buy this book.

However, if this is the first time you are using EJB's, than this book doesn't cover all the technologies in detail. There are a few sections which I thought was not at all relevant to EJB 3.1, like

• How to support currency
• Using time with an EJB
• Efficient manipulation of strings

And a few sections where the Author goes in detail in explaining how to

• Validating null fields
• Validating string fields
• Validating temporal fields
• Validation using regular expressions
• Validating Boolean fields
• Validating Integer fields
• Using the Validator class

Do we need examples to know how to validate every type of field?
 
In the past few years I have been consulting, I have seen several Developers who need examples and samples for everything. If you are one such Developer, this is the book for you.
If you want more details about this book, take a look at the link below on Packt web site.
 1. EJB 3.1 Cookbook

So, what would be my rating for this book if you ask?

Packt Publishing launches Sixth Annual Open Source Awards

I am a huge fan of technical books. I used to write several reviews for Javalobby earlier. However, due to time constraints and a hectic job, have not been writing reviews lately. Earlier, most books I read were from Manning, Apress and O'Reilly. In recent days, I read several interesting books from Packt Publishing.

 I am also a huge fan of open source technologies. I haven't contributed much to open source technologies. However, when I heard of the latest open source awards announced by Packt Publishing, I thought I should do my share and let the community know the same.


Packt has announced several categories for the awards.
The categories are:

• Open Source CMS
• Open Source Mobile Toolkits and Libraries
• Most Promising Open Source project
• Open Source Business Applications
• Open Source JavaScript Libraries
• Open Source Multimedia Software

If you nominate you will be entered to win a Kindle. I love my Kindle. :)
As per the press release from PACKT:

"The finalists in the voting stage will be announced at the beginning of September; and the Voting stage begins on 19th September 2011. Voting closes on 31st October 2011, with the winners announced throughout the week commencing 7th November 2011."

Read more details on their web site, and keep voting.

• PACKT Publishing
• Read more about the awards here.

Job Opportunities at Cigital

I have seen several emails, and a few comments about how people have been losing jobs, and are unable to find one quickly.The economy is getting worse day by day, and trust me I have seen several people I know who are struggling to find job.

Cigital Inc, a company I have been working at for three years, is rapidly expanding and eager to hire. I am working as a Technical Manager and love what I do for my Job.

So if you have any interest in software security, quality, or product development comment below and I will give you more information about all the opportunities currently available at Cigital. And for all those who love to travel, Cigital has many many opportunities that involve traveling.

Please feel free to forward this announcement to all your fellow software friends and family.

My Company has offices at several locations all across the world. A few are listed below:
In USA at Dulles, VA, New York, NY, San Jose, CA,. In Europe at London, UK, Amsterdam, Paris, France and Geneva, Switzerland area.

Continuous Integration in .NET - Book Review

Title: Continuous Integration in .NET

Authors: 
MARCIN KAWALEROWICZ and CRAIG BERNTSON


Publisher: Manning 


Rating:  Five stars all around!
The book is well written. The authors have gathered so much information in this book that it will help those of you who want to use CI. I'd heartily recommend this book for anyone making the transition to Continuous Integration in the .NET world.

It is simple to rate this book: every .NET team not using Continuous Integration should own and read this book!


I have been using CI in my own team, and have also been assisting several clients in setting up CI. Over the past several years, I have seen many teams using CI just to compile their code. If your team is doing just that, than this is the book you need to read and follow. All CI concepts are illustrated with examples. The authors use a large number of diagrams, tables, and code snippets with detailed explanations.

Note: This was also the first technical book which I read on my Kindle, and the rendering of the diagrams, tables, code snippets was just great.

Target Audience:
The target audience for this book is the entire .NET development team. For a beginner trying to understand Continuous Integration, for a Tester who wants the system to be in a working state before and after integration, and the Manager who want to reduce risks, this book will give a solid foundation of CI and its concepts. It is for all kinds of .NET developers: Beginners, Intermediate as well as Experienced CI users.

Tools Covered:
The authors cover several tools required for setting up a successful CI system, and the book has working examples to setup and use each of the tools listed below. The list below itself makes this book an important part of every .NET developer's arsenal.

1.     CI Servers

• CruiseControl.NET
• TeamCity
• Team Foundation Server 2010

2.      Build Automation Tools

• Nant
• MSBuild

3.     Unit Testing Frameworks

• NUnit
• Microsoft unit testing framework

4.     Test Coverage

•  PartCover

5.     UI Testing Frameworks

• White
• Silverlight
• Selenium

6.     Acceptance Testing Frameworks

•  FitNesse

7.     Code Analysis Tools

•  FxCop
• StyleCop
• NDepend

ZIP Files - Ant and Maven

How hard it might be to ZIP a bunch of files you think right? Judge for yourself. Like in my previous post of getting the timestamp, I needed to ZIP all the source artifacts to upload to a server.

I could do this in one line in Ant. Yes, literally one line.

Now comes the fun part. Doing the same with Maven. Started browsing the Maven site to see what needs to be done to achieve the same. Sounds easy though, but the XML configured for such a fairly trivial task was not a 1 liner. Several lines to get this to work.

Not sure how many more things I will uncover using Maven. I would have written everything in Ant and asked the client to use the Ant plug-in for Maven, but that is not an option I have.

I am glad I am learning so many things about Maven. By the time I finish writing all the plug-ins for Maven, I am quite confident I will be able to say I am a Maven GURU. Hope that day comes soon.

Hudson or Jenkins

I have been using Hudson( now called Jenkins) from early 2008, i.e. almost 3 years. Also, if you have been reading my blogs, you already know I am a huge fan of Hudson.

I had been following what's happening with Hudson and Jenkins closely. Every time I do a presentation at client sites, I get frequently asked about which way I am going. Like "Have you switched to Jenkins, why are you still using Hudson"? What are your thoughts about both of them?

Most of our clients which are big financial institutions are still using Hudson. So, we will have to support Hudson as long as our clients are using. Most of them had no inclination to switch to Jenkins either. They didn't have any opinion when I asked about the switch.

So, for the time being we are using Hudson. However, I did download Jenkins, renamed it to hudson.war and everything worked like a charm. As expected.

So, what are you using? Have you made the switch yet to Jenkins? If yes, may I ask why?

Getting Timestamp in Ant (trivial) and Maven (nontrivial)

I have been working on custom plug-ins for Ant and Maven to upload artifacts to a server. These are source files, the binaries and anything required for scanning using a static code analysis tool for security. Having used Ant for more than a decade now getting the time stamp to keep track of the uploads and also the log files was done in a few minutes.

So, it is trivial getting a timestamp from within my build.xml file. Attached is the sample for doing the same.

No surprises, and everything works like a charm.

Now comes the tough part. Getting the timestamp in Maven. After writing several plug-ins for Hudson and Sonar, I was thinking I have some good knowledge about Maven. I was completely wrong. I have been struggling getting the time stamp plug-in to work with Maven.

So, here are the steps I followed when I saw there was a "Build Number Maven Plug-in".

I added the plugin details to my pom.xml file. Attached are the details:

As soon as I ran this, I got an exception as shown below:

artifact org.codehaus.mojo:buildnumber-maven-plugin: checking for updates from central

[WARNING] repository metadata for: 'artifact org.codehaus.mojo:buildnumber-maven-plugin' could not be retrieved from repository: central due to an error: Error transferring file: Connection timed out: connect

Repository 'central' will be blacklisted

------------------------------------------------------------------------

[ERROR]BUILD ERROR

------------------------------------------------------------------------

The plugin 'org.codehaus.mojo:buildnumber-maven-plugin' does not exist or no valid version could be found

Next, I decided to install the plug-in manually on my local repository. So, here I followed the following steps:

1. Downloaded the jar from http://mirrors.ibiblio.org/pub/mirrors/maven2/org/codehaus/mojo/buildnumber-maven-plugin/1.0-beta-4/buildnumber-maven-plugin-1.0-beta-4.jar

2. Installed it locally in my Maven repository as such:

mvn install:install-file -Dfile=buildnumber-maven-plugin-1.0-beta-4.jar \
-DgroupId=org.codehaus.mojo \
-DartifactId=buildnumber-maven-plugin \
-Dversion=1.0-beta-4 \
-Dpackaging=jar

The timestamp was created at this point, and now the plugin complains about the scm url being null.

------------------------------------------------------------------------
[buildnumber:create]
Storing buildNumber: 20110308095006 at timestamp: 1299595806804
------------------------------------------------------------------------
[ERROR]FATAL ERROR
------------------------------------------------------------------------
The scm url cannot be null.
------------------------------------------------------------------------
Trace
java.lang.NullPointerException: The scm url cannot be null.
at org.apache.maven.scm.manager.AbstractScmManager.makeScmRepository(AbstractScmManager.java:181)
at org.codehaus.mojo.build.CreateMojo.getScmRepository(CreateMojo.java:722)
at org.codehaus.mojo.build.CreateMojo.getScmBranch(CreateMojo.java:593)
at org.codehaus.mojo.build.CreateMojo.execute(CreateMojo.java:452)
at org.apache.maven.plugin.DefaultPluginManager.executeMojo(DefaultPluginManager.java:490)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoals(DefaultLifecycleExecutor.java:694)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalWithLifecycle(DefaultLifecycleExecutor.java:556)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycleExecutor.java:535)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures(DefaultLifecycleExecutor.java:387)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultLifecycleExecutor.java:348)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExecutor.java:180)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:328)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:138)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:362)
at org.apache.maven.cli.compat.CompatibleMain.main(CompatibleMain.java:60)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
at org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)
at org.codehaus.classworlds.Launcher.main(Launcher.java:375)
------------------------------------------------------------------------
Total time: 2 seconds
Finished at: Tue Mar 08 09:50:07 EST 2011
Final Memory: 24M/224M
------------------------------------------------------------------------

I searched the FAQ section of this plugin at http://mojo.codehaus.org/buildnumber-maven-plugin/faq.html and it says to include the

revisionOnScmFailure 

which like you can see I have included.

At this point, I just gave up using this plug-in.

Have you used this plug-in and have a work around for this problem? Please share your thoughts. Is there anything else easier I can use to get the time stamp?

Update: After several tries using many other plug-ins including the one for Groovy, I found a workaround for some other bug at the following location http://jira.codehaus.org/browse/MRESOURCES-99, and I was able to successfully get the time stamp I need. Huh, I need my 3 hours back Maven......

RESTEasy - Connection Release Problems

If you are using RESTEasy client framework, and returning a Response from your service method, you will explicitly need to release the connection.

Here is the stack trace you will see, if the connection isn't released.

Exception in thread "main" java.lang.RuntimeException: java.lang.IllegalStateException: Invalid use of SingleClientConnManager: connection still allocated.
Make sure to release the connection before allocating another one.
at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:101)
at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:72)
at $Proxy25.updateSubmission(Unknown Source)
at meera.rest.main.MYRestWorkflow.main(MYRestWorkflow.java:61)
Caused by: java.lang.IllegalStateException: Invalid use of SingleClientConnManager: connection still allocated.
Make sure to release the connection before allocating another one.
at org.apache.http.impl.conn.SingleClientConnManager.getConnection(SingleClientConnManager.java:199)
at org.apache.http.impl.conn.SingleClientConnManager$1.getConnection(SingleClientConnManager.java:173)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:390)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:86)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39)
at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45)
at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:449)
at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:679)
at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:97)
... 3 more
------------------------------------------------------------------------
[ERROR]BUILD ERROR
------------------------------------------------------------------------

So, in order to fix this issue, RESTEasy has a method for releasing the connections which can be done using the following code:

MyResource resource = MyProxyFactory.create(MyResource.class, "resourcePath");
ClientResponse response = (ClientResponse) resource.create();
//Any REST Resource which returns a ClientResponse, has to call releaseConnection to release all the connections back
//to the connection pool
response.releaseConnection();