Skip to content

sast spotbugs failed on maven multimodules projects

Summary

When executing spotbugs sast report (registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs) on maven multiproject sast analyse breaks because it not found the m2 repo

  • parent
    • child1
    • child2

It search the maven repo into parent/child1 instead of parent

[INFO] [Find Security Bugs] [2021-06-30T00:22:32Z] ▶ GitLab Find Security Bugs analyzer v2.28.3
[INFO] [Find Security Bugs] [2021-06-30T00:22:32Z] ▶ Detecting project
...
[INFO] [Find Security Bugs] [2021-06-30T00:25:09Z] ▶ SpotBugs analysis succeeded for /builds/wac/core/components/core-parent!
[FATA] [Find Security Bugs] [2021-06-30T00:25:09Z] ▶ lstat /builds/xx/core/components/parent/child1/.m2/repository: no such file or directory
include:
  - template: Security/SAST.gitlab-ci.yml

spotbugs-sast:
  needs: ["build"]
  allow_failure: true
  variables:
    SAST_JAVA_VERSION: 11
    MAVEN_REPO_PATH: .m2/repository
    COMPILE: "false"

Same problem if I set MAVEN_REPO_PATH to ./.m2/repository

Steps to reproduce

  • Create a maven multimodule project
  • add ci conf with sast report and set MAVEN_REPO_PATH

Example Project

What is the current bug behavior?

Report breaks.

What is the expected correct behavior?

Report generated

Relevant logs and/or screenshots

[INFO] [Find Security Bugs] [2021-06-30T00:22:32Z] ▶ GitLab Find Security Bugs analyzer v2.28.3
[INFO] [Find Security Bugs] [2021-06-30T00:22:32Z] ▶ Detecting project
...
[INFO] [Find Security Bugs] [2021-06-30T00:25:09Z] ▶ SpotBugs analysis succeeded for /builds/wac/core/components/core-parent!
[FATA] [Find Security Bugs] [2021-06-30T00:25:09Z] ▶ lstat /builds/xx/core/components/parent/child1/.m2/repository: no such file or directory

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:check SANITIZE=true)

(For installations from source run and paste the output of: sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)

(we will only investigate if the tests are passing)

Possible fixes