Update SAST spotbugs (formerly find-sec-bugs) analyzer with Java 11

Problem to solve

Java 11 is a LTS release and we can expect more and more projects to require it. Oracle is stopping updates to Java 8, the previous LTS. The find-sec-bugs SAST analyzer carries a Java 8 SDK and cannot build Java 11 projects so more and more users will run into trouble using SAST with their Java projects.

This is the case for example with WebGoat, find-sec-bugs fails to build it and of course, fails to find vulnerabilities in it.

Target audience

Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam -->

Proposal

I propose adding a Java 11 JDK to the find-sec-bugs docker image and add and document a configuration environment variable to switch to it. For example, SAST_JAVA_VERSION which would be restricted to "8" or "11". The default version would be Java 8, as it is now.

What does success look like, and how can we measure that?

Users with Java 11 projects can run find-sec-bugs on them. Can be measured by the number of occurrences of the SAST_JAVA_VERSION CI/CD variable in the database.

Links / references

https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

Edited Jun 03, 2019 by Lucas Charles