Add missing domains to Java ecosystem profile #12394
Description
Summary
While testing agentic workflows on popular Java OSS repositories (gson, commons-lang, caffeine), several domains required for Java development were blocked by the firewall. These domains should be added to the java ecosystem profile in pkg/workflow/data/ecosystem_domains.json.
Blocked Domains Discovered
| Domain | Purpose | Blocked In |
|---|---|---|
dlcdn.apache.org |
Apache download CDN for Maven/tools | gson, commons-lang |
archive.apache.org |
Apache archive for older releases | gson |
download.java.net |
Java downloads | caffeine |
api.foojay.io |
Foojay Disco API for Java toolchain discovery (used by Gradle toolchains plugin) | caffeine |
Context
When running agentic workflows with the java ecosystem profile enabled, agents that need to download Java tooling (JDK, Maven, Gradle) often fail because:
- Apache CDN domains - Maven and other Apache tools are distributed via
dlcdn.apache.organdarchive.apache.org, which are not in the current Java profile - Java.net downloads - Some Java distributions and tools are hosted on
download.java.net - Foojay API - The Foojay Disco API (
api.foojay.io) is used by Gradle's toolchain auto-provisioning feature to discover and download JDKs
Current Java Profile
"java": [
"www.java.com",
"jdk.java.net",
"api.adoptium.net",
"adoptium.net",
"repo.maven.apache.org",
"maven.apache.org",
"repo1.maven.org",
"maven.pkg.github.com",
"maven.oracle.com",
"repo.spring.io",
"gradle.org",
"services.gradle.org",
"plugins.gradle.org",
"plugins-artifacts.gradle.org",
"repo.grails.org",
"download.eclipse.org",
"download.oracle.com",
"jcenter.bintray.com"
]Proposed Additions
"java": [
// ... existing domains ...
"dlcdn.apache.org",
"archive.apache.org",
"download.java.net",
"api.foojay.io",
"cdn.azul.com" // Azul Zulu JDK downloads (commonly used alternative JDK)
]Test Repositories
- https://github.com/Mossaka/gson - ✅ Passed (agent downloaded JDK from github.com which is allowed)
- https://github.com/Mossaka/commons-lang - ❌ Failed due to blocked domains
- https://github.com/Mossaka/caffeine - ❌ Failed due to blocked domains
Reproduction
- Create an agentic workflow with
javain the allowed network list:network: firewall: true allowed: - defaults - github - java
- Run a workflow that needs to download Maven or configure Gradle toolchains
- Observe blocked domain errors in firewall logs
Evidence
Firewall access logs showing blocked requests:
TCP_DENIED dlcdn.apache.org:443
TCP_DENIED archive.apache.org:443
TCP_DENIED download.java.net:443