We are evaluating SAST for scanning Java applications.
I’m starting with a simple hello world application with some added bugs
that spotbugs finds running by hand (i.e. an empty catch(Exception){} block).
The analysis runs and seems to generation a json result file artifact, …
Using docker image sha256:b9c8eb2f34e0a5853850cc845f191a848da1087678defb3fee7a6781d34aa672 for registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs@sha256:7dced8cf99f5604a2a4a929e2f067ce9b241be8ab66fd76a7185999399d25eab ... $ /analyzer run [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ GitLab Find Security Bugs analyzer v2.28.5 [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Detecting project [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found project in /builds/root/helloworldant [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Running analyzer [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found Ant project in /builds/root/helloworldant directory [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Found 1 analyzable projects. [INFO] [Find Security Bugs] [2021-09-01T18:58:13Z] ▶ Building Ant project at /builds/root/helloworldant. [INFO] [Find Security Bugs] [2021-09-01T18:58:14Z] ▶ Project built. [INFO] [Find Security Bugs] [2021-09-01T18:58:18Z] ▶ SpotBugs analysis succeeded for /builds/root/helloworldant! [INFO] [Find Security Bugs] [2021-09-01T18:58:18Z] ▶ Creating report Uploading artifacts for successful job 00:03 Uploading artifacts... gl-sast-report.json: found 1 matching files and directories Uploading artifacts as "sast" to coordinator... ok id=220 responseStatus=201 Created token=j95pbAKJ
The Security Compliance/Vulnerability Report page shows it's been updated due
to the build, but all the categories show 0 vulnerabilities. There should have been
at least two, because running spotbugs by hand shows the errors.
Any ideas what I'm doing wrong?
Thanks in advance,
Cary