Running Spotbugs fails, but I don't see any errors

Hi!

I’m running the Spotbugs SAST analyzer, but it fails without an indication for an issue. What can I do to debug this better? I already tried running it with enabled TRACES, but that does not help.

$ /analyzer run
[INFO] [Find Security Bugs] [2021-03-19T15:35:23Z] ▶ GitLab Find Security Bugs analyzer v2.25.3
[INFO] [Find Security Bugs] [2021-03-19T15:35:23Z] ▶ Detecting project
[INFO] [Find Security Bugs] [2021-03-19T15:35:23Z] ▶ Found project in /builds/$REPO
[INFO] [Find Security Bugs] [2021-03-19T15:35:23Z] ▶ Running analyzer
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradlew project in /builds/$REPO directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/buildSrc directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/tools/osm directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradlew project in /builds/$REPO/server directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found Gradle project in /builds/$REPO/server/[redacted] directory
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Found 24 analyzable projects.
[INFO] [Find Security Bugs] [2021-03-19T15:35:24Z] ▶ Building Gradlew project at /builds/$REPO with static compilation.
[INFO] [Find Security Bugs] [2021-03-19T15:35:47Z] ▶ Building failed, trying building without static compilation: exit status 1
[INFO] [Find Security Bugs] [2021-03-19T15:35:47Z] ▶ Building Gradlew project at /builds/$REPO.
[ERRO] [Find Security Bugs] [2021-03-19T15:35:48Z] ▶ Project couldn't be built: exit status 1
[FATA] [Find Security Bugs] [2021-03-19T15:35:48Z] ▶ exit status 1
Uploading artifacts for failed job

I was expecting some Gradle error, but it does not seem to run? I’m not sure. Any pointers are helpful.

@bt-nia

If we set the SECURE_LOG_LEVEL to debug, you should see more details into where it’s failing any why:

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SECURE_LOG_LEVEL: "debug"

I wouldn’t expect this to fix anything, but it should give a lot more insight into why the project can’t be built and what is causing the exit status 1.

As this is failing on the spotbugs-sast job, you may also want to try it with

spotbugs-sast:
  variables:
    FAIL_NEVER: 1

Let us know how it goes!