Allow configuration of spotbugs effort level
Problem to solve
We do not currently offer an option to configure the Category:SAST spotbugs analyzer's effort
value. By exposing this configuration our customers can reduce computation cost and potentially avoid OoM issues for large projects
-effort[:min|less|default|more|max]:
Set analysis effort level. The -effort:min disables several analyses that increase precision but also increase memory consumption. You may want to try this option if you find that SpotBugs with the -effort:less still runs out of memory, or takes an unusually long time to complete its analysis. The -effort:less disables some analyses that increase precision but also increase memory consumption. You may want to try this option if you find that SpotBugs with the -effort:more/-effort:default runs out of memory, or takes an unusually long time to complete its analysis. The -effort:more runs several analyses to find bugs, this is the -effort:default. The -effort:max enable analyses which increase precision and find more bugs, but which may require more memory and take more time to complete. See Effort.
Proposal
- Update
analyze.go
to accept ENV for modifying default behavior ofeffort
- Update SAST docs to describe new variable
Implementation Plan
We will accept the effort
input for Spotbugs via SAST_SCANNER_ALLOWED_CLI_OPTS
CI variable. Here's the implementation checklist:
-
Move the parsing logic of SAST_SCANNER_ALLOWED_CLI_OPTS
introduced in Semgrep repository to a common place to reuse the logic | gitlab-org/security-products/analyzers/command!48 (merged) -
Accept -effort[:min|less|default|more|max]
as one of the inputs forSAST_SCANNER_ALLOWED_CLI_OPTS
in the Spotbugs analyzer source | gitlab-org/security-products/analyzers/spotbugs!171 (merged) -
Update SAST docs about the above entry under Security Scanner Configuration section | !121916 (merged)