Allow Dependency Scanning to analyze maven projects without the install step

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

When analyzing maven projects, the gemnasium-maven analyzer will first do a mvn install on the project. This is done in order to ensure that multi-module projects (which rely on other unbuilt modules in the same project) to be scanned without error.

Not all projects need this functionality. Single-module projects do not need this step. Nor do multi-module projects that don't need a scan-time build of a submodule. The mandatory install step increases analysis run-time and blows up the container resources required by the analyzer.

Proposal

Add an environment variable DS_MVN_SKIP_INSTALL to be used by the gemnasium-maven analyzer. Adding this variable will allow the analyzer to conditionally execute the mvn install step. This will allow users to disable installs when their projects don't require them, reducing build times and container resources required.

Implementation plan

• introduce DS_MVN_SKIP_INSTALL variable (default to false) to the analyzer's flags and install step sections
• add integration test -FREEZE branch to the java-maven project to test whether a project gets built when DS_MVN_SKIP_INSTALL flag is set to true (can check for build artifacts in target directory, for example)
• document this variable: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning

What does success look like, and how can we measure that?

Users will be able to skip the install step when scanning the dependencies of their maven projects.