Multi-module Maven project support for SAST
Problem to solve
Multi-module projects are not yet supported for SAST. Scanning a project like WebGoat will return an error.
Further details
Multi-module projects are complex but more frequent than the simpler single module ones. This issue is about improving our Java support, and cover a lot more projects than what we have today. Note that multi-module projects are already supported by Gemnasium (with possible edge-cases not yet discovered).
Proposal
Following discussions on https://gitlab.com/gitlab-org/gitlab-ee/issues/6733#note_84586601, it seems possible to leverage the FSB CLI to handle this kind of projects.
What does success look like, and how can we measure that?
SAST job succeeding with Multi-module projects.
Links / references
https://gitlab.com/gitlab-org/gitlab-ee/issues/6733#note_84586601
An engineering discovery issue is available at https://gitlab.com/gitlab-org/gitlab-ee/issues/9046.
SpotBugs MultiModule Maven Configuration doc: https://spotbugs.github.io/spotbugs-maven-plugin/examples/multi-module-config.html