Dependency Scanning fails for projects using gradle in offline mode
Main issue
This is a sub-issue for #33720 (closed).
Problem to solve
In order to support offline environment deployments (air-gap) for Dependency Scanning on gradle projects, we need to avoid making external calls at runtime in the gemnasium-maven analyzer.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Simone (Software Engineer in Test)
Further details
gemnasium-maven analyzer tries to install gemnasium-gradle-plugin
and other resources when running.
Proposal
bundle all necessary requirements within the gemnasium-maven analyzer docker image or provide a way for users to download it and make it available to the analyzer.
Implementation Plan
-
add gemnasium-gradle-plugin
at build time -
add minimium set of maven plugins required to build gemnasium project
Permissions and Security
Documentation
If this requires user setup, then we must update user documentation.
Availability & Testing
-
Test solution on the airgap-test instance: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/tests/maven-with-local-registry
What does success look like, and how can we measure that?
Maven projects can be successfully scanned in an offline environment.
What is the type of buyer?
Is this a cross-stage feature?
No.
Links / references
Edited by 🤖 GitLab Bot 🤖