@@ -910,3 +910,19 @@ with a dependency on this version of Python should use `retire.js` version 2.10.
### Error: `dependency_scanning is used for configuration only, and its script should not be executed`
For information on this, see the [GitLab Secure troubleshooting section](../index.md#error-job-is-used-for-configuration-only-and-its-script-should-not-be-executed).
### Import multiple certificates for Java-based projects
The `gemnasium-maven` analyzer reads the contents of the `ADDITIONAL_CA_CERT_BUNDLE` variable using `keytool`, which imports either a single certificate or a certificate chain. Multiple unrelated certificates are ignored and only the first one is imported by `keytool`.
To add multiple unrelated certificates to the analyzer, you can declare a `before_script` such as this in the definition of the `gemnasium-maven-dependency_scanning` job:
```yaml
gemnasium-maven-dependency_scanning:
before_script:
-. $HOME/.bashrc# make the java tools available to the script
-OIFS="$IFS"; IFS=""; echo $ADDITIONAL_CA_CERT_BUNDLE > multi.pem; IFS="$OIFS"# write ADDITIONAL_CA_CERT_BUNDLE variable to a PEM file
-csplit -z --digits=2 --prefix=cert multi.pem "/-----END CERTIFICATE-----/+1" "{*}"# split the file into individual certificates
-for i in `ls cert*`; do keytool -v -importcert -alias "custom-cert-$i" -file $i -trustcacerts -noprompt -storepass changeit -keystore /opt/asdf/installs/java/adoptopenjdk-11.0.7+10.1/lib/security/cacerts 1>/dev/null 2>&1 || true; done# import each certificate using keytool (note the keystore location is related to the Java version being used and should be changed accordingly for other versions)
-unset ADDITIONAL_CA_CERT_BUNDLE# unset the variable so that the analyzer doesn't duplicate the import