Skip to content

Fix jdtls download#224

Merged
jmle merged 2 commits into
konveyor:mainfrom
eemcmullan:eclipse-update
Jun 29, 2026
Merged

Fix jdtls download#224
jmle merged 2 commits into
konveyor:mainfrom
eemcmullan:eclipse-update

Conversation

@eemcmullan

@eemcmullan eemcmullan commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Chores
    • Updated the bundled Java language server to a newer release to improve compatibility and stability.
    • Updated the Java analysis bundle to use the latest available language server snapshot/repository, keeping the analysis environment consistent with the new server version.

Signed-off-by: Emily McMullan <emcmulla@redhat.com>
@eemcmullan eemcmullan requested a review from jmle June 26, 2026 15:52
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9996bd4-e529-4ce1-bdcb-3c4a191a65f3

📥 Commits

Reviewing files that changed from the base of the PR and between e6a8363 and 2e27a18.

📒 Files selected for processing (3)
  • Dockerfile
  • Dockerfile.test
  • java-analyzer-bundle.tp/java-analyzer-bundle.target

📝 Walkthrough

Walkthrough

The Dockerfiles and Java analyzer target platform now reference a newer JDT Language Server artifact. The Docker download commands also switch to curl -fsSL.

Changes

JDT Language Server artifact update

Layer / File(s) Summary
Target platform repository update
java-analyzer-bundle.tp/java-analyzer-bundle.target
org.eclipse.jdt.ls.core now references the 1.60.0 milestones repository.
Docker download update
Dockerfile, Dockerfile.test
Both Dockerfiles download the newer JDTLS tarball and switch the build-time curl flags to -fsSL.

🎯 2 (Simple) | ⏱️ ~10 minutes

A bunny peeks at the build with a hop and a grin,
New JDTLS bits tumble in.
curl -fsSL makes the fetch go clean,
Target and Dockerfiles now gleam serene,
Hop-hop! The version update is tucked in.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: fixing the JDTLS download in the Docker and target files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Around line 3-6: The JDTLS download step in the Docker build currently pulls a
remote snapshot tarball without verifying integrity, so update the RUN block
that downloads and extracts jdtls to also fetch the SHA-256 sidecar and validate
the tarball before unpacking it, then apply the same pinned-and-verified
download flow in Dockerfile.test as well. Use the existing jdtls.tar.gz
fetch/extract sequence as the place to add checksum verification and keep the
binary install step unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0608f16d-2a1f-4164-86a4-f1b2e0b666d0

📥 Commits

Reviewing files that changed from the base of the PR and between 153f67b and e6a8363.

📒 Files selected for processing (3)
  • Dockerfile
  • Dockerfile.test
  • java-analyzer-bundle.tp/java-analyzer-bundle.target

Comment thread Dockerfile Outdated
Comment on lines 3 to 6
RUN curl -fsSL -o jdtls.tar.gz https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz &&\
tar -xvf jdtls.tar.gz --no-same-owner &&\
chmod 755 /jdtls/bin/jdtls &&\
rm -rf jdtls.tar.gz

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Inspect current download steps:"
sed -n '1,8p' Dockerfile
sed -n '1,8p' Dockerfile.test

echo
echo "Check whether either Dockerfile already verifies artifact integrity:"
rg -n 'sha(256|512)sum|gpg|cosign' Dockerfile Dockerfile.test || true

echo
echo "Probe common checksum sidecars for the pinned JDTLS artifact:"
base='https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz'
for suffix in .sha256 .sha256sum .sha512 .md5; do
  url="${base}${suffix}"
  code="$(curl -o /dev/null -s -w '%{http_code}' -I "$url" || true)"
  printf '%s -> %s\n' "$url" "$code"
done

Repository: konveyor/java-analyzer-bundle

Length of output: 1494


Pin and verify the JDTLS tarball digest.

This still extracts a remote binary snapshot without any checksum verification. If that asset is replaced upstream, both this image and the mirrored download path in Dockerfile.test will ingest it silently.

A verifiable SHA-256 sidecar exists at the download URL. Update the build to fetch and validate it:

Proposed fix
+ARG JDTLS_URL=https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz
+ARG JDTLS_SHA256=8b0f7b22f97b60d33e50f9045058f686d40a70881e1983a224331775e37d6b29
-RUN curl -fsSL -o jdtls.tar.gz https://download.eclipse.org/jdtls/snapshots/jdt-language-server-1.54.0-202511261751.tar.gz &&\
+RUN curl -fsSL -o jdtls.tar.gz "${JDTLS_URL}" &&\
+    curl -fsSL "${JDTLS_URL}.sha256" | sha256sum -c - &&\
 	tar -xvf jdtls.tar.gz --no-same-owner &&\
 	chmod 755 /jdtls/bin/jdtls &&\
         rm -rf jdtls.tar.gz

Apply the same change to Dockerfile.test.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 3 - 6, The JDTLS download step in the Docker build
currently pulls a remote snapshot tarball without verifying integrity, so update
the RUN block that downloads and extracts jdtls to also fetch the SHA-256
sidecar and validate the tarball before unpacking it, then apply the same
pinned-and-verified download flow in Dockerfile.test as well. Use the existing
jdtls.tar.gz fetch/extract sequence as the place to add checksum verification
and keep the binary install step unchanged.

Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
@jmle jmle merged commit 8a14735 into konveyor:main Jun 29, 2026
15 checks passed
@mguetta1 mguetta1 added the cherry-pick/release-0.9 This PR should be cherry-picked to release-0.9 branch label Jun 29, 2026
@konveyor-ci-bot

Copy link
Copy Markdown

PR cherry-picked to branch release-0.9. Backport PR: #225

jmle added a commit that referenced this pull request Jul 2, 2026
* Fix jdtls download (#224)

* fix jdtls download

Signed-off-by: Emily McMullan <emcmulla@redhat.com>

* Use milestone

Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>

---------

Signed-off-by: Emily McMullan <emcmulla@redhat.com>
Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
Co-authored-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>

* Determine operator tag based on the base branch

Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>

* Pass also tag

Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>

---------

Signed-off-by: Emily McMullan <emcmulla@redhat.com>
Signed-off-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>
Co-authored-by: Emily McMullan <emcmulla@redhat.com>
Co-authored-by: Juan Manuel Leflet Estrada <jleflete@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cherry-pick/release-0.9 This PR should be cherry-picked to release-0.9 branch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants