Skip to Content
Technical Articles
Author's profile photo Morten Wittrock

CPILint version 1.0.2 is out

CPILint%20logo

Yesterday, I released CPILint version 1.0.2:

CPILint%20console%20output%20showing%20version%20number

CPILint is an open source, command-line tool for SAP Cloud Integration, which lets you automate the governance of your integration flows by writing executable, rule-based development guidelines.

CPILint ships with a number of built-in rules, covering adapters, mapping, scripting, security and more. Once you’ve chosen the rules that make sense in your particular situation, CPILint does the heavy lifting of checking your integration flows for compliance, and presents you with a report of the issues discovered.

If this is the first time your hear about CPILint, please read this blog post for a much more in-depth introduction.

So what’s new in version 1.0.2? First and foremost, this release updates the tool to use the public integration packages API. Version 1.0.1 still used the undocumented API, which no longer works.

1.0.2 also introduces the CPILINT_JAVA_HOME environment variable, which you can use to launch CPILint with a specific Java runtime. Also, the Bash launch script now works correctly on macOS.

You can download CPILint version 1.0.2 from GitHub. If you want to tinker, the full source code and all other files needed to build CPILint is included in the download. Everything you need is available in the CPILint GitHub repository as well, of course. For documentation and installation instructions, please see the project’s wiki.

Have fun with CPILint! If you run into any issues at all, do please let me know. You can do that by either commenting below, or by creating an issue on GitHub.

Assigned Tags

      21 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Kühn
      Michael Kühn

      Hi Morten,

      Thanks for sharing this great tool. Do you support also custom identity providers (e.g. SAP IAS)?

      Unfortunately it doesn't work for us...

      Best regards,
      Michael

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Michael

      The credentials are used for the OData API calls, and I believe you should still use your SAP ID Service user for that, but let me check and get back to you.

      Regards,

      Morten

      P.S. Also make sure that you are actually hitting the correct Tenant Management Node hostname.

      Author's profile photo Michael Kühn
      Michael Kühn

      Hi Morten,

      Thanks a lot for the fast response. For our tenants also basic authentication is "redirected" to our custom IdP. I verified the basic authentication against one of the odata API endpoints.

      Our error message looked like this:
      screenshot

      Finally I solved it by using another client (outside company network). I guess the internet proxy was causing the issues.

      Thank you again for sharing this great tool!

      Best regards,
      Michael

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Happy to hear it worked out 😀

      Author's profile photo Michael Kühn
      Michael Kühn

      Just to share our experience on API authorization with custom IdP: We also faced further authorization issues in Neo environment when using a custom IdP in combination with group mapping between BTP authorization groups and LDAP groups (caused by CPI API). Finally we solved it by manually assigning the technical user ID of IAS (e.g. P000xxx) to the BTP developer group. LDAP username was not working for API authorization (even if automatically mapped to BTP group before & working in CPI environment).

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Michael

      That's useful - thanks for sharing!

      Regards,

      Morten

      Author's profile photo David van Deijk
      David van Deijk

      I am thinkin of extending the tool a bit to make it an information gathering tool to list what resources are being used/addressed, and i created a small pull request to improve user experience a little bit.

      Please let me know what you think about this.

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi David

      Thank you very much for you comment and the PR.

      It is actually by choice, that the technical details are not in the regular error messages, that are output to the console. Instead, they go into the debug log (along with a lot of additional information). That means, however, that you need to run the tool again with the -debug option, to generate a log file.

      I should probably make that more clear. Thank you for bringing that to my attention.

      Regards,

      Morten

       

      Author's profile photo David van Deijk
      David van Deijk

      In general I dont mind that structure, but when you are just typing the wrong password or getting a 404 on the wrong URL, it is not very userfriendly to have to open a debug log file to find out such a simple error. That is why I did not change all error reporting, just the ones I ran into during startup.

      The one with the zipfile that is not an iflow is a real bug. It just crashes with a stacktrace on nullpointer exception if there is no manifest in the zipfile.

      Author's profile photo Narayana Gella
      Narayana Gella

      Hi Morten,

      Thanks for this great tool CPILINT. when i am connecting to cpi tenant, i am getting below error. Pls  advise.

       

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Narayana

      If you run the command again with the -debug option, a log file called "cpilint.log" will be created. It will contain more information about what the real problem is.

      Regards,

      Morten

      Author's profile photo Narayana Gella
      Narayana Gella

      Hi Morten,

      Thanks for the reply. i ran the command with debug option and i have got the log file. Here it is :

      16:14:16.384 INFO dk.mwittrock.cpilint.CpiLint - Starting inspection of iflow artifacts
      16:14:16.385 DEBUG d.m.c.api.CloudIntegrationOdataApi - Retrieving iflow artifact from tenant: Claims_Vistex_Demo
      16:14:16.385 DEBUG d.m.c.api.CloudIntegrationOdataApi - Iflow artifact URI generated for ID Claims_Vistex_Demo: https://yy-btp-dev-txxxxxxxx8.it-cpi013-rt.cfapps.us21.hana.ondemand.com/api/v1/IntegrationDesigntimeArtifacts(Id='Claims_Vistex_Demo',Version='active')/$value
      16:14:17.757 ERROR dk.mwittrock.cpilint.CliClient - Iflow artifact supplier error
      dk.mwittrock.cpilint.suppliers.IflowArtifactSupplierError: API error when retrieving iflow
      at dk.mwittrock.cpilint.suppliers.IteratingApiSupplierBase.supply(Unknown Source)
      at dk.mwittrock.cpilint.suppliers.TenantSingleArtifactsSupplier.supply(Unknown Source)
      at dk.mwittrock.cpilint.CpiLint.run(Unknown Source)
      at dk.mwittrock.cpilint.CliClient.main(Unknown Source)
      Caused by: dk.mwittrock.cpilint.api.CloudIntegrationApiError: Iflow artifact ID 'Claims_Vistex_Demo' could not be found
      at dk.mwittrock.cpilint.api.CloudIntegrationOdataApi.getIflowArtifact(Unknown Source)
      ... 4 common frames omitted
      16:14:17.758 INFO dk.mwittrock.cpilint.CliClient - Exiting CliClient with error status 2 and message: There was an error while retrieving iflow artifacts: API error when retrieving iflow

      Please advise on this fix ?

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Narayana

      This looks to me like the iflow ID is wrong. Please double-check that it matches the one in the tenant.

      Regards,

      Morten

      Author's profile photo Narayana Gella
      Narayana Gella

      Hi Morten,

      Thank you for your reply. the issue was with host name and now we are able to connect CPI tenant directly. One last question, We want to inspect externalization parameters through CPILINT tool. Is there any possible way/ workaround solution for checking every field in the adapter should be externalized as per the given scope of externalization in CPI.

      Kind regards,

      Narayana.

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Narayana

      That's not something that's currently supported. But I like the idea a lot, actually. I'll add it to the to-do list 😀

      Regards,

      Morten

      Author's profile photo Narayana Gella
      Narayana Gella

      Hi Morten,

      Thanks for the confirmation. we are waiting for that feature to release...One more last question 🙂

      how to add new values to the enumeration ? As an example, I want to add the following iflow steps to the rules so that it will be inspected through CPILINT tool.

      looping-process-call.name
      process-call.name
      local-integration-process.name
      exception-subprocess.name
      splitter.name
      router.name
      pgp-encryptor.name
      pkcs7-encryptor.name
      pgp-decryptor.name
      pkcs7-decryptor.name
      filter.name
      content-enricher.name
      message-digest.name
      persist.name
      sequential-multicast.name
      parallel-multicast.name
      join.name
      aggregator.name
      gather.name

      Kind regards,

      Narayana.

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Narayana

      I like your enthusiasm! Each constant in that enumeration in the rules file is backed by a piece of code, so sadly it's not enough to extend the enumeration. But the NamingConventions rule will support even more steps in the next release.

      And do keep asking questions; I'm happy to answer them!

      Regards,

      Morten

      Author's profile photo Subhadeep Banerjee
      Subhadeep Banerjee

      Hi Morten,

      We recently removed default idp user authentication for our tenants. Now we are using custom idp. Earlier with the default S-user cilint was working fine but now it is throwing an error. Could this tool work with custom idp user or we must stick to a default idp user for this tool at the moment ?

       

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Subhadeep

      IdP user should not be a problem. Please see this page. Alternative 1: Create a service key with the "api" plan and assign the required roles to it. Alternative 2: Copypaste the error message and we can have a look 🙂

      Regards,

      Morten

      Author's profile photo Subhadeep Banerjee
      Subhadeep Banerjee

      Hello Morten,

      As suggested we tried going for the first alternative. We created a service key with a WorkspacePackagesRead role. When we are using the clientid and secret we still get the same error on cilint. We could see on the audit logs the authentication type being used is OpenIdConnect in this case.

       

      Regards,

      Subhadeep.

      Author's profile photo Morten Wittrock
      Morten Wittrock
      Blog Post Author

      Hi Subhadeep

      I need to see those logs, then. I've followed you here on the SAP Community. If you follow me back, we can use the messaging system and take it from there.

      Regards,

      Morten