Add example to make gradle-jdk17 action compatible with actions/set-up-java

[ibaiul]

I have created this example pull request as I was not able to find a way to report this incompatibility issue in another way.

I believe this issue affects all Snyk actions that execute Java commands but I have only provided an example for the Gradle JDK17 Snyk action waiting for some feedback on how to tackle the incompatibility issue.

[ibaiul]

Snyk actions that execute Java commands are not compatible with the official actions/set-up-java GitHub actions due to a JAVA_HOME environment variable collision.

actions/set-up-java exports the JAVA_HOME variable with a value that points to a directory not present inside the Snyk container and therefore Snyk fails to resolve it own JAVA_HOME value which gets overridden when the Snyk action gets executed.

Two ways to fix this issue that come to my mind are:

• Set the JAVA_HOME environment variable explicitly in the Snyk action to the value it is expecting (in this case I would encourage to document the case)
• Build all the Snyk docker images that run Java commands in a way that they ignore the JAVA_HOME environment variable value set externally or to override it to the expected value.

[ibaiul]

Incompatible example:

steps:
  - name: Set up Java
    uses: actions/setup-java@v3 # Exports JAVA_HOME variable incompatible with Snyk actions (value=/opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.4-1/x64)
    with:
      java-version: 17
      distribution: temurin
  - name: Set up Gradle
    uses: gradle/gradle-build-action@v2
    with:
      gradle-version: 7.3

  # Run your Gradle commands

  - name: Run Snyk to check for vulnerabilities
    uses: snyk/actions/gradle-jdk17@master
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    with:
      args: --severity-threshold=high

Action error:

Run snyk/actions/gradle-jdk17@master
/usr/bin/docker run --name snyksnykgradlejdk17_581781 --label 8d5581 --workdir /github/workspace --rm -e "JAVA_HOME" -e "JAVA_HOME_17_X64" -e "GRADLE_BUILD_ACTION_SETUP_COMPLETED" -e "GRADLE_BUILD_ACTION_CACHE_RESTORED" -e "RELEASE_TAG" -e "SNYK_TOKEN" -e "INPUT_ARGS" -e "INPUT_COMMAND" -e "INPUT_JSON" -e "FORCE_COLOR" -e "SNYK_INTEGRATION_NAME" -e "SNYK_INTEGRATION_VERSION" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/***/***":"/github/workspace" snyk/snyk:gradle-jdk17  "snyk" "test" "--severity-threshold=high"
Gradle Error (short):


===== DEBUG INFORMATION START =====
[COULD NOT RUN gradle -v]

>>> command: '/github/workspace/gradlew' snykResolvedDepsJson -q --build-file build.gradle --no-daemon -Dorg.gradle.parallel= -Dorg.gradle.console=plain -PonlySubProject=. -I /tmp/tmp-1-U8sEO8k4knjh--init.gradle
>>> exit code: 1
>>> stdout:

ERROR: JAVA_HOME is set to an invalid directory: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.4-1/x64

Please set the JAVA_HOME variable in your environment to match the
location of your Java installation.


>>> stderr:


===== DEBUG INFORMATION END =====

Error running Gradle dependency analysis.

Please ensure you are calling the `snyk` command with correct arguments.
If the problem persists, contact support@snyk.io, providing the full error
message from above, starting with ===== DEBUG INFORMATION START =====.

Compatible example enforcing expected JAVA_HOME value:

- name: Run Snyk to check for vulnerabilities
  uses: snyk/actions/gradle-jdk17@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    JAVA_HOME: /opt/java/openjdk # Enforce directory expected by the Snyk container
  with:
    args: --severity-threshold=high

[bastiandoetsch]

Hey @ibaiul , thanks for the contribution! Would you please sign your commit and force-push? Unfortunately, we can only accept signed commits (see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)

[ibaiul]

Hey @ibaiul , thanks for the contribution! Would you please sign your commit and force-push? Unfortunately, we can only accept signed commits (see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)

Sure, that makes total sense. I have signed and re-pushed the commit.