Multi-module Maven project support for SAST
Problem to solve
Multi-module projects are not yet supported for SAST. Scanning a project like WebGoat will return an error.
Multi-module projects are complex but more frequent than the simpler single module ones. This issue is about improving our Java support, and cover a lot more projects than what we have today. Note that multi-module projects are already supported by Gemnasium (with possible edge-cases not yet discovered).
Following discussions on #6733 (comment 84586601), it seems possible to leverage the FSB CLI to handle this kind of projects.
What does success look like, and how can we measure that?
SAST job succeeding with Multi-module projects.
Links / references
An engineering discovery issue is available at #9046 (closed).
SpotBugs MultiModule Maven Configuration doc: https://spotbugs.github.io/spotbugs-maven-plugin/examples/multi-module-config.html