Dependency Scanning fails for projects using maven in offline mode
Main issue
This is a sub-issue for #33720 (closed).
Problem to solve
In order to support offline environment deployments (air-gap) for Dependency Scanning on maven project, we need to avoid making external calls at runtime in the gemnasium-maven analyzer.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Simone (Software Engineer in Test)
Further details
gemnasium-maven analyzer tries to install gemnasium-maven-plugin and other resources when running. these install flag are not configurable via environment variables
Proposal
bundle all necessary requirements within the gemnasium-maven analyzer docker image or provide a way for users to download it and make it available to the analyzer.
Implementation Plan
-
add maven
plugins at build time to allow a minimalmvn install
-
add gemnasium-maven-plugin
at build time
Permissions and Security
Documentation
If this requires user setup, then we must update user documentation.
Availability & Testing
Test solution on the airgap-test instance: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/tests/maven-with-local-registry
What does success look like, and how can we measure that?
Maven projects can be successfully scanned in an offline environment.
What is the type of buyer?
Is this a cross-stage feature?
No.