Fix jdtls download#224
Conversation
Signed-off-by: Emily McMullan <emcmulla@redhat.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe Dockerfiles and Java analyzer target platform now reference a newer JDT Language Server artifact. The Docker download commands also switch to ChangesJDT Language Server artifact update
🎯 2 (Simple) | ⏱️ ~10 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Around line 3-6: The JDTLS download step in the Docker build currently pulls a
remote snapshot tarball without verifying integrity, so update the RUN block
that downloads and extracts jdtls to also fetch the SHA-256 sidecar and validate
the tarball before unpacking it, then apply the same pinned-and-verified
download flow in Dockerfile.test as well. Use the existing jdtls.tar.gz
fetch/extract sequence as the place to add checksum verification and keep the
binary install step unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0608f16d-2a1f-4164-86a4-f1b2e0b666d0
📒 Files selected for processing (3)
DockerfileDockerfile.testjava-analyzer-bundle.tp/java-analyzer-bundle.target
| RUN curl -fsSL -o jdtls.tar.gz https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz &&\ | ||
| tar -xvf jdtls.tar.gz --no-same-owner &&\ | ||
| chmod 755 /jdtls/bin/jdtls &&\ | ||
| rm -rf jdtls.tar.gz |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Inspect current download steps:"
sed -n '1,8p' Dockerfile
sed -n '1,8p' Dockerfile.test
echo
echo "Check whether either Dockerfile already verifies artifact integrity:"
rg -n 'sha(256|512)sum|gpg|cosign' Dockerfile Dockerfile.test || true
echo
echo "Probe common checksum sidecars for the pinned JDTLS artifact:"
base='https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz'
for suffix in .sha256 .sha256sum .sha512 .md5; do
url="${base}${suffix}"
code="$(curl -o /dev/null -s -w '%{http_code}' -I "$url" || true)"
printf '%s -> %s\n' "$url" "$code"
doneRepository: konveyor/java-analyzer-bundle
Length of output: 1494
Pin and verify the JDTLS tarball digest.
This still extracts a remote binary snapshot without any checksum verification. If that asset is replaced upstream, both this image and the mirrored download path in Dockerfile.test will ingest it silently.
A verifiable SHA-256 sidecar exists at the download URL. Update the build to fetch and validate it:
Proposed fix
+ARG JDTLS_URL=https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz
+ARG JDTLS_SHA256=8b0f7b22f97b60d33e50f9045058f686d40a70881e1983a224331775e37d6b29
-RUN curl -fsSL -o jdtls.tar.gz https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz &&\
+RUN curl -fsSL -o jdtls.tar.gz "${JDTLS_URL}" &&\
+ curl -fsSL "${JDTLS_URL}.sha256" | sha256sum -c - &&\
tar -xvf jdtls.tar.gz --no-same-owner &&\
chmod 755 /jdtls/bin/jdtls &&\
rm -rf jdtls.tar.gzApply the same change to Dockerfile.test.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` around lines 3 - 6, The JDTLS download step in the Docker build
currently pulls a remote snapshot tarball without verifying integrity, so update
the RUN block that downloads and extracts jdtls to also fetch the SHA-256
sidecar and validate the tarball before unpacking it, then apply the same
pinned-and-verified download flow in Dockerfile.test as well. Use the existing
jdtls.tar.gz fetch/extract sequence as the place to add checksum verification
and keep the binary install step unchanged.
Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
|
PR cherry-picked to branch release-0.9. Backport PR: #225 |
* Fix jdtls download (#224) * fix jdtls download Signed-off-by: Emily McMullan <emcmulla@redhat.com> * Use milestone Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> --------- Signed-off-by: Emily McMullan <emcmulla@redhat.com> Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> Co-authored-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> Signed-off-by: Cherry Picker <noreply@github.com> * Determine operator tag based on the base branch Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> * Pass also tag Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> --------- Signed-off-by: Emily McMullan <emcmulla@redhat.com> Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com> Signed-off-by: Cherry Picker <noreply@github.com> Co-authored-by: Emily McMullan <emcmulla@redhat.com> Co-authored-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
Summary by CodeRabbit