Dependency Scanning and License Scanning Java 21 Early Access Support

Release notes

Dependency Scanning and License Scanning will be able to support Java 21, which is due to be released on 19th September 2023.

Problem to solve

As a user, I want to specify Java version 21, so that I can use an early access version of Java 21 with Dependency Scanning and License Scanning.

Intended users

• Sasha (Software Developer)
• Cameron (Compliance Manager)

User experience goal

The user should be able to set the DS_JAVA_VERSION environment variable in their .gitlab-ci.yml to 21 and Java 21 should be used.

Proposal

We are going to add Java 21 to the Dependency Scanning Docker image once this version of Java has been released.

Further details

The scope of this issue is limited to our Debian, non-FIPS image, because we anticipate that Redhat will be 1-2 months behind when OpenJDK make it available. The scope may be adjusted in future to account for Gradle support for Java 21.

Documentation

• Document Java 21 is supported via an early access version
• Document Java 21 is available using the DS_JAVA_VERSION environment variable
• Document Java 21 is not supported in FIPS-enabled images
• Document Java 21 only supports Maven

Availability & Testing

Adding a new version of Java could result in different behaviour. We can increase confidence by extending our test capability as follows:

• The spec/gemnasium-maven_image_spec.rb integration test should be updated

Available Tier

• Ultimate

Implementation Plan

Java

• Update GitLab documentation:
  • Update Supported languages and package managers to include Java 21 with footnote that Java 21 is not supported in FIPS-enabled images
  • Update Configuring specific analyzers used by dependency scanning to include Java 21
  • Update FIPS-enabled images to communicate Java 21 is not supported in FIPS-enabled images
  • Update documentation to communicate that Java 21 is only support for Maven projects
• Update Gemnasium analyzer:
  • Update .tool-versions to include Java 21
  • Update spec/gemnasium-maven_image_spec.rb to test scan behaviour with Java 21

---

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.