Our project uses Maven for dependency management but also uses Gradle for some external scripts. When the SAST scanner for SpotBugs runs, it picks up our gradlew and build.gradle files and fails, because it is likely expecting a regular Java Gradle project. It never finds our pom.xml file.
Is there a way to guide the SAST scanner to look at the pom file and ignore the gradle configuration?
Maybe you can exclude paths to prevent the scans from firing with SpotBugs, vulnerability filters in the docs. Custom rules also look interesting though I cannot say if they are available for Spotbugs.
Spotbugs, by default, crawls the repo looking for Java/Maven/Gradle/Groovy projects and attempts to compile/build anything it finds. That’s because spotbugs scans .jars, not the source code itself.
You can override this behavior and have it scan compiled .jars for your maven project by using the pre-compilation option: Static Application Security Testing (SAST) | GitLab
I’d suggest compiling the .jars in a build job and passing the .m2/target/ direcotries as artifacts to the spotbugs-sast job.
For example:
stages:
- build
- test
include:
- template: Security/SAST.gitlab-ci.yml
build:
image: maven:3.6-jdk-8-slim
stage: build
script:
- mvn package -Dmaven.repo.local=./.m2/repository
artifacts:
paths:
- .m2/
- target/
spotbugs-sast:
dependencies:
- build
variables:
MAVEN_REPO_PATH: "$CI_PROJECT_DIR/.m2/repository"
COMPILE: "false"
artifacts:
reports:
sast: gl-sast-report.json