Update SAST spotbugs (formerly find-sec-bugs) analyzer with Java 11
Problem to solve
Java 11 is a LTS release and we can expect more and more projects to require it. Oracle is stopping updates to Java 8, the previous LTS. The find-sec-bugs SAST analyzer carries a Java 8 SDK and cannot build Java 11 projects so more and more users will run into trouble using SAST with their Java projects.
This is the case for example with WebGoat, find-sec-bugs fails to build it and of course, fails to find vulnerabilities in it.
Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam -->
I propose adding a Java 11 JDK to the find-sec-bugs docker image and add and document a configuration environment variable to switch to it. For example,
SAST_JAVA_VERSION which would be restricted to "8" or "11".
The default version would be Java 8, as it is now.
What does success look like, and how can we measure that?
Users with Java 11 projects can run find-sec-bugs on them. Can be measured by the number of occurrences of the
SAST_JAVA_VERSION CI/CD variable in the database.