Add JDK 21 to SpotBugs-based SAST analyzer
Background
The SpotBugs-based SAST analyzer includes JDK 11 and 17 (default). 21 is now available and is an LTS. Without Java 21 built into the SpotBugs-based analyzer, SpotBugs-based builds are difficult to use without using the pre-compilation workaround.
(See SAST_JAVA_VERSION
documented at https://docs.gitlab.com/ee/user/application_security/sast/#analyzer-settings)
Proposal
Add Java 21 as a built-in JDK version in the SpotBugs-based analyzer.
Consider:
- Setting Java 21 as the default, if this won't cause disruption to 11 or 17 builds. (If it will cause disruption, we will need to announce as a potentially breaking change.)
- Updating additional built-in tools to newer versions.
Notes
- Preinstalled tool versions are controlled in .tool-versions and related files.
- This issue was split from SAST Language Support Java 18 (#404950 - closed), which was for Java 18 but which had comments related to Java 21 as well.
- We attempted to upgrade spotbugs to version find sec bugs v.1.13.0, which included Java 21 support. This effort failed, details. Note that this upgrade may take longer than expected when applying a weight to this issue.
Edited by Craig Smith