Spotbugs-sast detects 0 vulnerabilities on projects using Ant
Summary
Spotbugs SAST analyzer always detects 0 vulnerabilities when scanning projects that use Ant build tool.
The behavior is the same whether one uses pre-compliation or spotbugs does the build.
This issue was created on behalf of a Large Ultimate SaaS customer who reported this problem happening on 4 different codebases in a support ticket.
I was able to reproduce this by running spotbugs-sast on several 3+ year old open source projects that use Ant. Thus far, I've been unable to find any examples of an Ant project where vulnerabilities are detected.
Steps to reproduce
- Import a Java project that uses Ant
- Enable SAST scanning
- Note that
spotbugs-sast
job detects zero vulnerabilities.
Example Project
What is the current bug behavior?
Zero vulnerabilities are detected by spotbugs-sast on projects that use Ant.
What is the expected correct behavior?
Spotbugs-sast finds at least one vulnerability in at least one project using Ant.
Relevant logs and/or screenshots
Output of checks
This problem occurs on GitLab.com
Results of GitLab environment info
This problem occurs on GitLab.com
Results of GitLab application Check
This problem occurs on GitLab.com