Add way to specify a custom certificate chain in the gemnasium-maven analyzer

Problem to solve

Users of java projects with custom repositories and custom ca chains currently need to use a workaround in getting Dependency Scanning to work.

Instead of being able to add their certificate to the analyzer via the CI > Variables, users must instead modify the analyzer image with a keytool import command (see offline maven documentation for an example).

The current state of using this analyzer with custom certificates is cumbersome and requires the editing of the ci template. It would be much better if users could simply supply a variable to the analyzer.

Integration tests:

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Delaney (Development Team Lead)
• Sasha (Software Developer)

Proposal

Allow the gemnasium-maven analyzer to pick up the ADDITIONAL_CA_CERT_BUNDLE variable at scan time and add it to the analyzer's cacerts java key store.

Using this variable users will be able to use private repos and custom ca certificates chains without modifying the template or making scan-time additions to the analyzer.

Implementation plan

• add certificate specified in ADDITIONAL_CA_CERT_BUNDLE to the java key store at scan time via keytool command (e.g. keytool -importcert -file /tmp/internal.crt -cacerts -storepass changeit -noprompt )

Documentation

• update offline documentation for maven, gradle, and sbt projects.

Availability & Testing

• test in java-maven, java-gradle, and scala-sbt test projects with a custom registry

What does success look like, and how can we measure that?

Users will be able to pass in a custom mvn repo with a self-signed certificate and have the analyzer scan without certificate errors.

Is this a cross-stage feature?

No.

Links / references