Support specifying java version at scan time for the gemnasium-maven analyzer
Problem to solve
The gemnasium-maven
analyzer is currently on jdk11. We have gotten several user requests to use Dependency Scanning with jdk13 and jdk14 projects. Additionally, users have continued asking us about how to use Dependency Scanning on jdk8 projects.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
There are several proposals possible (this list is non-exhaustive):
- update our documentation to instruct users on how to rebuild our analyzer images with a different jdk
- publish multiple versions of the analyzer supporting different java versions
- allow users to specify the java version to be used at scan time.
- don't update the analyzer but rather wait for Dependency Scanning to migrate to a build/scan phase split (as capture in this epic).
Options 1 and 2 are simpler in terms of eng cost, but both have drawbacks in terms of complexity for the user and operational complexity for us (e.g. maintaining analyzer images per java version).
Option 3 would work well since it allows fine grained control of the java version for users. It is in line with other analyzer variables we use to configure images. And it would be similar to the way SAST and License Compliance (see SAST_JAVA_VERSION and LM_JAVA_VERSION) handle different jdk versions.
Option 4 is the most optimal. It would allow us to significantly uncomplicate the analyzer and give users maximum versatility. The implementation plan won't go into this one since it is already broken down in #13477 (closed).
Implementation plan
-
introduce variable DS_JAVA_VERSION
-
install all supported Java versions in the Dockerfile similar to how this is done in Spotbugs -
jdk8 -
jdk11 -
jdk13 -
jdk14
-
-
add asdf
version manager to the analyzer at build time -
at scan time, switch default java version if user specified version does not match it, similar to how spotbugs does this in the run.sh script, however, this functionality will be implemented as part of the gemnasium-maven analyzer code
Documentation
-
update Dependency Scanning documentation with the new variable and explain which java versions are supported -
When this documentation done please close #213631 (closed) and #213057 (closed) with a link to the documentation of how to specify version and when they can use those directions (i.e. with the release of 13.1, or after downloading new container, or both)
Availability & Testing
For java-maven, java-gradle, and scala-sbt test projects add tests for:
-
java 8 -
java 11 -
java 13 -
java 14
See the Testing section of the MR for more details
What does success look like, and how can we measure that?
Users will be able to scan dependencies for projects using any of the supported java versions.
Is this a cross-stage feature?
No.