Neither the Semgrep nor SpotBugs are finding issues with Java code. The Semgrep scanner shows that it is scanning Java files, but does not report any issues. To verify, I created a Java file with issues, as well as a Python and C file with known issues. The Python and C file do report errors, but not any of the java code (not even the issue I created). It is almost like there is a variable that isn’t set correct (e.g. SAST_REPORT_JAVA = ‘true’), but cannot find any variable to set. The Semgrep parser is reporting the correct number of java files. I also set these two variables to provide more information:
CI_DEBUG_TRACE: “true”
SECURE_LOG_LEVEL: “debug”
but not seeing anything in the output.
Hi, I am also facing with the same issue. My configuration is as below:
include:
template: Jobs/SAST.gitlab-ci.yml
sast:
stage: test
The jobs did state succeeded and in the logs it says
detecting project
analyzer will attempt to analyze all projects in the repository
running analyzer
creating reports
the json report is generated and found in the artifact but does not report any issues at all. I was trying out in another repo that has Scala codes and it does not report issues too. However it reports error in another repository that has python code. Anyone able to assist on this?