Support Java 17 for Dependency Scanning

Release notes

We have added support for Java 17 to Dependency Scanning. Thank you to the assistance of community contributors @rpandini_wh and @gliDom. If you are using the latest, or latest major(2), the container you do not need to do anything to receive this update. If you have pinned your container to a minor or specific version please update to at least 2.26.0 receive this update.

Problem to solve

Dependency Scanning currently supports Java up to version 16. Version 17 made it to general availability recently (2021-09-14) and should be supported as well.

Related details

See this comment for more details.

Proposal

Add Java 17 support for Dependency Scanning, without introducing any breaking changes.

Implementation Plan

  1. Update .tool-versions in gemnasium-maven and add gradle 7.3.3, keeping gradle 6.7.1 as the default (the first listed version is the default):

    - gradle 6.7.1
+ gradle 6.7.1 7.3.3

    gitlab-org/security-products/analyzers/gemnasium-maven!164 (merged)

  2. Update .tool-versions in gemnasium-maven and add adoptopenjdk-17.0.2+8 to the list of Java versions:

    - java adoptopenjdk-11.0.7+10.1 adoptopenjdk-8.0.252+9.1 adoptopenjdk-13.0.2+8.1 adoptopenjdk-14.0.1+7.1 adoptopenjdk-15.0.2+7 adoptopenjdk-16.0.0+36
+ java adoptopenjdk-11.0.7+10.1 adoptopenjdk-8.0.252+9.1 adoptopenjdk-13.0.2+8.1 adoptopenjdk-14.0.1+7.1 adoptopenjdk-15.0.2+7 adoptopenjdk-16.0.0+36 adoptopenjdk-17.0.2+8

    gitlab-org/security-products/analyzers/gemnasium-maven!164 (merged)

  3. Update analyzer-wrapper so that if a user configures DS_JAVA_VERSION=17, we automatically select gradle 7.3.3

    gitlab-org/security-products/analyzers/gemnasium-maven!164 (merged)

  4. Update utils/gradle-plugin-builder/build.gradle to use gradle 7 syntax:

    - runtime group: 'com.gemnasium', name: 'gradle-plugin', version: '0.3.5'
+ runtimeOnly group: 'com.gemnasium', name: 'gradle-plugin', version: '0.3.5'

    gitlab-org/security-products/analyzers/gemnasium-maven!164 (merged)

  5. Add the following downstream QA tests to the java-gradle test project:

    It's important to add tests for projects that don't have a gradlew wrapper file with a pinned version of gradle. This shows that a Java 17 project uses gradle 7.3.3, and a Java 14 project uses gradle 6.7.1.

    If we were to use a pinned version of gradle in a gradlew file, then it wouldn't show us that the version of gradle changes programmatically based on the version of Java, which is what we need to demonstrate.

    See this MR for a starting point.

  6. Add the following downstream QA test to the java-maven test project:

    See this MR as a starting point.

  7. Add Java 17 to the Supported languages and package managers table in the Dependency Scanning docs.

    !82276 (merged)

  8. Make the following changes to the Obtaining dependency information by running a package manager to generate a parsable file table in the Dependency Scanning docs:

    • Add gradle 7.3 to the Tested Versions column for the Gradle package manager.

    • Add gradle 7.3.3 to the Preinstalled Versions column for the Gradle package manager, and include a footnote explaining:

      When DS_JAVA_VERSION is set to 17, gradle 7.3.3 will automatically be selected as the package manager.

    !82276 (merged)

  9. Make sure to give credit to @gliDom for their community contribution in Add support for java 17 which has provided some necessary details to help complete this issue.

Edited by Adam Cohen