Allow Use of Pre-Compilation with SpotBugs Analyzer
What does this MR do and why?
As noted here: https://docs.gitlab.com/user/application_security/sast/#using-pre-compilation-with-spotbugs-analyzer the SpotBugs analyzer automatically attempts to fetch and compile the code to be scanned. There is a suggestion in the documentation to use pre-compilation where you have a custom build configuration or your language version isn't build into the analyzer. To skip the analyzer's compilation step and provide the pre-compiled artifacts from an earlier job, there needs to be the ability to specify the variable COMPILE: "false" in the variables: list, of thespotbugs-sast job, along with the earlier job which provides the pre-compiled artifacts in the dependencies: array.
How to set up and validate locally
- Create an MR in SAST project
- Verify spotbugs runs using pre-compiled artifacts
Edited by Melissa Beldman