- title: "Out-of-the-box SAST (SpotBugs) support for Java 8" announcement_milestone: "14.8" announcement_date: "2022-02-22" removal_milestone: "15.0" removal_date: "2022-05-22" breaking_change: false reporter: connorgilbert stage: Secure issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352549 body: | # (required) Do not modify this line, instead modify the lines below. The [GitLab SAST SpotBugs analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) scans [Java, Scala, Groovy, and Kotlin code](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks) for security vulnerabilities. For technical reasons, the analyzer must first compile the code before scanning. Unless you use the [pre-compilation strategy](https://docs.gitlab.com/ee/user/application_security/sast/#pre-compilation), the analyzer attempts to automatically compile your project's code. In GitLab versions prior to 15.0, the analyzer image included Java 8 and Java 11 runtimes to facilitate compilation. As of GitLab 15.0, we've: - Removed Java 8 from the analyzer image to reduce the size of the image. - Added Java 17 to the analyzer image to make it easier to compile with Java 17. - Changed the default Java version from Java 8 to Java 17. If you rely on Java 8 being present in the analyzer environment, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352549#breaking-change). # The following items are not published on the docs page, but may be used in the future. tiers: [Free, Silver, Gold, Core, Premium, Ultimate] documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks # (optional) This is a link to the current documentation page image_url: # (optional) This is a link to a thumbnail image depicting the feature video_url: # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg