Remove Dependency Scanning support for Java 13, 14, 15, and 16
Release notes
GitLab has deprecated Dependency Scanning support for Java versions 13, 14, 15, and 16 and plans to remove that support in the upcoming GitLab 16.0 release. This is consistent with Oracle’s support policy as Oracle Premier and Extended Support for these versions has ended. This also allows GitLab to focus Dependency Scanning Java support on LTS versions moving forward.
Proposal
Update the build of the gemnasium-maven
non-FIPS (Debian) image to remove support for Java 13, 14, 15, and 16.
The gemnasium-maven
FIPS image (RedHat) isn't changed because it only supports LTS version of Java: 8, 11, and 17.
As part of this we might also upgrade Maven, Gradle, and Sbt to the latest stable versions. See .tool-versions
files for RedHat and Debian images.
Documentation
User documentation needs to be updated: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
CI/CD variable | Analyzer | Default | Description |
---|---|---|---|
DS_JAVA_VERSION | gemnasium-maven | 17 | Version of Java. Available versions: 8, 11, 13, 14, 15, 16, 17. Available versions in FIPS-enabled image: 8, 11, 17. |
See table and footnotes of https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers
Different versions of Java require different versions of Gradle. The versions of Gradle listed in the above table are pre-installed in the analyzer image. The version of Gradle used by the analyzer depends on whether your project uses a gradlew (Gradle wrapper) file or not:
If your project does not use a gradlew file, then the analyzer automatically switches to one of the pre-installed Gradle versions, based on the version of Java specified by the DS_JAVA_VERSION variable. By default, the analyzer uses Java 17 and Gradle 7.3.3.
For Java versions 8 and 11, Gradle 6.7.1 is automatically selected, and for Java versions 13 to 17, Gradle 7.3.3 is automatically selected.
If your project does use a gradlew file, then the version of Gradle pre-installed in the analyzer image is ignored, and the version specified in your gradlew file is used instead.
See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#fips-enabled-images:
To ensure compliance with FIPS, the FIPS-enabled image of gemnasium-maven uses the OpenJDK packages for RedHat UBI. As a result, it only supports Java 8, 11, and 17.
This paragraph can be removed.
Availability & Testing
The image specs for Java 13 to 16 have to be removed:
- https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/d0ad79a12b24cce6a1c3373ae6c06b4e8cc54289/spec/gemnasium-maven_image_spec.rb#L120-151
- https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/d0ad79a12b24cce6a1c3373ae6c06b4e8cc54289/spec/gemnasium-maven_image_spec.rb#L281-336
There image specs should be the same for both the FIPS image and the non-FIPS image of gemnasium-maven
, and we might leverage this to simplify the tests.
Implementation plan
- Update Gemnasium.
-
Update gemnasium-maven/debian build. -
Optional: Upgrade build tools to the latest versions. See .tool-versions
files for RedHat and Debian images. -
Update image specs. -
Optional: simplify the image specs and the corresponding CI jobs. -
Update MAX_IMAGE_SIZE_MB
, the max size of the non-FIPS image. -
Release as v4.x. See Release Gemnasium v4 (#408528 - closed)
-
-
Update documentation in Upgrade to Gemnasium v4 (!119313 - merged) or in a separate MR.