Skip to content

Add JDK 21 to SpotBugs-based SAST analyzer

Update: Using JDK 21 with SpotBugs Requires Manual Pin to v6

We're unable to bump SpotBugs to v6 for the stable CI template as it contains a breaking change that was not approved, as described in this issue. As a result, the default SpotBugs job will remain on v5 for the 18.x milestones. If users need JDK21, they'll need to manually pin to v6 by following these steps.

Background

The SpotBugs-based SAST analyzer includes JDK 11 and 17 (default). 21 is now available and is an LTS. Without Java 21 built into the SpotBugs-based analyzer, SpotBugs-based builds are difficult to use without using the pre-compilation workaround.

(See SAST_JAVA_VERSION documented at https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings)

Proposal

Add Java 21 as a built-in JDK version in the SpotBugs-based analyzer.

Consider:

  1. Setting Java 21 as the default, if this won't cause disruption to 11 or 17 builds. (If it will cause disruption, we will need to announce as a potentially breaking change.)
  2. Updating additional built-in tools to newer versions.

Notes

  • Preinstalled tool versions are controlled in .tool-versions and related files.
  • This issue was split from SAST Language Support Java 18 (#404950 - closed), which was for Java 18 but which had comments related to Java 21 as well.
  • We attempted to upgrade spotbugs to version find sec bugs v.1.13.0, which included Java 21 support. This effort failed, details. Note that this upgrade may take longer than expected when applying a weight to this issue.

Implementation

  1. Add JDK 21 to image
  2. Change default JDK to 21
  3. Remove JDK 11 from image
  4. Bump major version of analyzer
  5. Write follow-up issue to update the major version in the CI template, and schedule it for %18.0 (breaking change) see Update spotbugs major version in SAST templates (#517169 - closed) • Shao Ming Tan • 18.0
Edited by Shao Ming Tan