SAST Scanning fails when setup as a multi-module Maven project

We have tried to add sast to our java maven project using the following job

sast:
  image: docker:stable
  stage: validate
  tags:
    - docker
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --env MAVEN_OPTS="-B -Dmaven.repo.local=/tmp/app/.m2 -Dapi.version=${API_VERSION} -Dbuild.profile.id=${BUILD_PROFILE}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  dependencies:
    - prepare:maven
  artifacts:
    paths: [gl-sast-report.json]

But the result is always

2018/05/23 07:07:10 [find-sec-bugs] Detect project using plugin
2018/05/23 07:07:10 [find-sec-bugs] Project is compatible
2018/05/23 07:07:10 [find-sec-bugs] Starting analyzer...
10-8-stable: Pulling from gitlab-org/security-products/analyzers/find-sec-bugs
Digest: sha256:11eb89ab06b37288a92d427b70d286b69e19dc1209f8fcc5de48a833d58e5d5f
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/find-sec-bugs:10-8-stable
Found project in /tmp/app
2018/05/23 07:07:18 open /tmp/app/target/spotbugsXml.xml: no such file or directory
2018/05/23 07:07:22 Container exited with non zero status code

Do we need to add somthing to our pom.

Second report

Summary

SAST Scanning fails when setup as a multi-module Maven project.

Steps to reproduce

  1. Create a multi-module Maven project with two modules.
  2. Enable Dependency Scanning in .gitlab-ci.yml

Example Project

https://gitlab.com/dansiviter/multi-module-failure

What is the current bug behavior?

It appears to be unable to locate a /tmp/app/target/spotbugsXml.xml file.

What is the expected correct behavior?

The testing completes and results returned.

Relevant logs and/or screenshots

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.269 s
[INFO] Finished at: 2018-07-02T11:02:26Z
[INFO] ------------------------------------------------------------------------
2018/07/02 11:02:26 open /tmp/app/target/spotbugsXml.xml: no such file or directory
2018/07/02 11:02:29 Container exited with non zero status code
ERROR: Job failed: exit code 1

See linked pipeline for example: https://gitlab.com/dansiviter/multi-module-failure/-/jobs/78759837

Output of checks

This bug happens on GitLab.com

Possible fixes

Unknown

Edited by Fabio Busatto