Neither the Semgrep nor SpotBugs are finding issues with Java code. The Semgrep scanner shows that it is scanning Java files, but does not report any issues. To verify, I created a Java file with issues, as well as a Python and C file with known issues. The Python and C file do report errors, but not any of the java code (not even the issue I created). It is almost like there is a variable that isn’t set correct (e.g. SAST_REPORT_JAVA = ‘true’), but cannot find any variable to set. The Semgrep parser is reporting the correct number of java files. I also set these two variables to provide more information:
but not seeing anything in the output.
Has anyone else encountered this issue?