Dependency Scanning fails for projects using scala in offline mode
Main issue
This is a sub-issue for #33720 (closed).
Problem to solve
In order to support offline environment deployments (air-gap) for Dependency Scanning on scala sbt
projects, we need to avoid making external calls at runtime in the gemnasium-maven analyzer.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Simone (Software Engineer in Test)
Further details
gemnasium-maven analyzer tries to install the analysis plugin (sbt-dependency-graph
) and other resources when running the analysis. This ought to be done done at build time so that the plugin is packaged with the image and doesn't need to be installed in user's scanning environment.
Proposal
bundle all necessary requirements within the gemnasium-maven analyzer docker image or provide a way for users to download it and make it available to the analyzer.
Implementation Plan
-
add analysis plugin at build time
Permissions and Security
Documentation
If this requires user setup, then we must update user documentation.
Availability & Testing
-
Test solution on the airgap-test
instance:
What does success look like, and how can we measure that?
Maven projects can be successfully scanned in an offline environment.
What is the type of buyer?
Is this a cross-stage feature?
No.