Host asdf compatible java versions locally
Problem to solve
gemnasium-maven and license-management both use asdf to install multiple versions of java from api.adoptopenjdk.net, however, this endpoint sometimes goes down or has breaking changes which causes the analyzer build stage to fail.
The purpose of this issue is to create our own asdf-compatible .deb packages corresponding to the various supported java versions (8, 11, 13, 14) so we don't need to rely on api.adoptopenjdk.net at build time. We can still use api.adoptopenjdk.net as the source for these .deb packages, but by building and hosting them locally, our analyzers can still be built even if api.adoptopenjdk.net stops working.
See this discussion for more details.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Proposal
-
Use GitLab artifact hosting for initial PoC -
Add a step in the install.shDocker build script to download the latest artifacts when building the image. -
At scan time, use dpgk -i tool-version.debto uncompress and install the desired version
In the future, we can request .deb package support in omnibus so we don't need to rely on using GitLab artifact hosting
Documentation
Availability & Testing
What does success look like, and how can we measure that?
Analyzer build stage will continue functioning even if api.adoptopenjdk.net stops responding
What is the type of buyer?
Is this a cross-stage feature?
This feature will affect gemnasium-maven and license-management. The process of hosting the .deb packages in omnibus may also have some crossover with Engineering Research: Have a plan for Splitting analyze and build phases in Security Products analyzers