gemnasium-maven docker image requires installation of gemnasium-maven-plugin
Problem to solve
When scanning java projects in a self managed intranet only environment the gemnasium-maven docker image depends on the gemnasium-maven-plugin. At the moment this plugin is downloaded and installed at scan time. This means that the intranet available maven registry must host this plugin in order for the analyzer to function.
include:
- template: License-Scanning.gitlab-ci.yml
variables:
DS_ANALYZER_IMAGE_PREFIX: "gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:4567/analyzers"
DS_DEFAULT_ANALYZERS: "gemnasium-maven"
DS_DISABLE_DIND: "true"
GEMNASIUM_DB_REMOTE_URL: "https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db.git"
GIT_SSL_NO_VERIFY: 'true'
MAVEN_CLI_OPTS: --settings gitlab-settings.xml -Dorg.slf4j.simpleLogger.log.org.codehaus.mojo.license=debug -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true -Dmaven.wagon.http.ssl.insecure=true
SECURITY_SCANNER_IMAGE_PREFIX: "gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:4567/analyzers"$ /analyzer run
Found project in /builds/tests/test-license-scanning
From https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db
* branch master -> FETCH_HEAD
+ 3593530c...e38f8047 master -> origin/master (forced update)
HEAD is now at e38f8047 Merge branch 'adbcurate/CVE-2020-2135.yml' into 'master'
Identified maven project
[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-dependency-plugin/2.8/maven-dependency-plugin-2.8.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 34.428 s
[INFO] Finished at: 2020-03-27T02:38:28Z
[INFO] ------------------------------------------------------------------------
[ERROR] Plugin org.apache.maven.plugins:maven-dependency-plugin:2.8 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-dependency-plugin:jar:2.8: Could not transfer artifact org.apache.maven.plugins:maven-dependency-plugin:pom:2.8 from/to central (https://repo.maven.apache.org/maven2): Transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-dependency-plugin/2.8/maven-dependency-plugin-2.8.pom: Connect to repo.maven.apache.org:443 [repo.maven.apache.org/151.101.52.215] failed: Connection timed out (Connection timed out) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException
exit status 1Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
Proposal
I propose that we install the gemnasium-maven-plugin into the maven local repository ($HOME/.m2/repository) when we build the docker image. This will reduce the need for hosting the package on private maven repositories and will improve the scan time speed because this plugin will already be installed instead of having to reach out to the network to install the plugin.