Dependency Scanning fails for projects using maven in offline mode

Main issue

This is a sub-issue for #33720 (closed).

Problem to solve

In order to support offline environment deployments (air-gap) for Dependency Scanning on maven project, we need to avoid making external calls at runtime in the gemnasium-maven analyzer.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Simone (Software Engineer in Test)

Further details

gemnasium-maven analyzer tries to install gemnasium-maven-plugin and other resources when running. these install flag are not configurable via environment variables

Proposal

bundle all necessary requirements within the gemnasium-maven analyzer docker image or provide a way for users to download it and make it available to the analyzer.

Implementation Plan

• add maven plugins at build time to allow a minimal mvn install
• add gemnasium-maven-plugin at build time

Permissions and Security

Documentation

If this requires user setup, then we must update user documentation.

Availability & Testing

Test solution on the airgap-test instance: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/tests/maven-with-local-registry

What does success look like, and how can we measure that?

Maven projects can be successfully scanned in an offline environment.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

No.

Links / references