Use FIPS-compliant OpenJDK in gemnasium-maven FIPS image
Release notes
Starting from GitLab 15.1, Dependency Scanning for Java (gemnasium-maven) uses the OpenJDK packages for RedHat UBI 8 when the FIPS mode is enabled. It previously used asdf-java, which is not FIPS-compliant. As a result of this change, it only supports Java 7, 11, and 17 when FIPS is enabled. Java 13, 14, 15, and 16 are no longer supported in FIPS mode.
Problem to solve
FIPS-enabled Docker images of gemnasium-maven
were introduced as part #354994 (closed). However, these images use versions of OpenJDK installed using asdf, and these might not comply with FIPS. See #357919 (comment 934409150)
Further details
RHEL UBI 8 provides packages for OpenJDK 8, 11, and 17. When installed using RHEL packages, OpenJDK "self-configures FIPS according to the global policy".
Links
- https://access.redhat.com/documentation/en-us/openjdk/8/html/configuring_openjdk_8_on_rhel_with_fips/config-fips-in-openjdk
- https://access.redhat.com/documentation/en-us/openjdk/11/html/configuring_openjdk_11_on_rhel_with_fips/config-fips-in-openjdk
- https://access.redhat.com/documentation/en-us/openjdk/17/html/configuring_openjdk_17_on_rhel_with_fips/config-fips-in-openjdk
Currently Dependency Scanning supports the following versions of Java: 8, 11, 13, 14, 15, 16, 17.
Proposal
Install versions of OpenJDK officially supported by Dependency Scanning using the following RHEL UBI packages:
java-1.8.0-openjdk
java-11-openjdk
java-17-openjdk
Switch between these packages based on DS_JAVA_VERSION
.
- Set environment variable
JAVA_HOME
. - Set
java
CLI using RedHat'salternatives
command.
The only supported versions of Java are: 8, 11, and 7.
Java 13, 14, 15, and 16 are no longer supported.
It's no longer necessary to compress /opt/asdf
b/c it only contains the build tools (Gradle, Maven, and Sbt). asdf-java
is removed.
See #357919 (comment 934409150)
Intended users
Documentation
The gemnasium-maven FIPS image only supports specific versions of Java, and this limitation should be documented in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning.
Feature Usage Metrics
Implementation plan
-
Update config/install.sh
to installopenjdk-*
packages instead ofasdf-java
. -
Update config/.bashrc
to switch to theopenjdk-*
package that matchesDS_JAVA_VERSION
. -
Show message when it can't use the requested Java version; it uses the default version instead. -
Update spec/gemnasium-maven_image_spec.rb
and the corresponding CI config to only test the supported version of Java when testing the FIPS image, in theimage test fips
andimage test only slow scans fips
jobs. -
Update user documentation to let users know that the FIPS image only supports specific versions of Java.
/cc @sam.white @gonzoyumo