gemnasium-maven analyzer does not import ADDITIONAL_CA_CERT_BUNDLE to the java cacerts store

Summary

The gemansium-maven analyzer fails to import the certificate bundle specified in ADDITIONAL_CA_CERT_BUNDLE.

Steps to reproduce

Configure ADDITIONAL_CA_CERT_BUNDLE to a self signed CA and attempt to restore packages served under the self signed CA in the additional ca bundle. The scanner will fail to validate the pki.

Example Project

Configure ADDITIONAL_CA_CERT_BUNDLE to a self signed CA and attempt to restore packages served under the self signed CA in the additional ca bundle.

What is the current bug behavior?

The analyzer fails to import the CA certificates (and possibly set the JAVA_HOME directory). The certificate being used for the keytool script is in /etc/ssl/certs/ca-certificates.crt which if it does not contain the ADDITIONAL_CA_CERT_BUNDLE, will also reflect the java cacerts store will not have the certificates either.

What is the expected correct behavior?

The analyzer sets the JAVA_HOME directory and imports the CA certificates correctly.

Workaround

gemnasium-maven-dependency_scanning:
  before_script:
    - tar --use-compress-program=unzstd -xf /opt/asdf.tar.zst -C /opt/
    - export JAVA_HOME=/opt/asdf/installs/java/adoptopenjdk-17.0.2+8
    - echo "${ADDITIONAL_CA_CERT_BUNDLE}" >> my-ca.pem
    - /opt/asdf/shims/keytool -no-prompt -importcert -alias km -file my-ca.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
    - rm -rf /opt/asdf.tar.zst

Edited Jun 28, 2022 by Tanner Bragg