Replace SpotBugs analyzer with semgrep rules (for Java)

Why are we doing this work

Come up with a good-enough SpotBugs semgrep ruleset in order to move Java analysis to Semgrep instead of the current analyzer. In this issues, when we write SpotBugs, we actually mean SpotBugs + FindSecBugs.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

1. Update the structure of https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules to account for Java
2. Identify the rules we have to migrate and find corresponding test case in the SpotBugs code repository
3. For every rule, search a corresponding test cases in the code repository
4. Adding a first rule+test-case in Java to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules so that we can try it with the testing-framework + SpotBugs|semgrep
5. Create a branch https://gitlab.com/gitlab-org/security-products/analyzers/semgrep with Java support (enabling file extension .java)
6. Hook the (temp) semgrep docker image that has been created in step 5 into the testing framework by setting the corresponding variable (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing/-/blob/main/.gitlab-ci.yml#L15).
7. Configure https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing so that it uses SpotBugs and runs the test-case we added in step 2
8. Systematically add further test-cases + rules (from step 2) to rule+test-case in Java to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules

Rules Completion Status

The rules and their completion status is tracked in this issue

Reference Links

• Find Sec Bugs (Definition & Examples)
• SpotBugs Rule Definitions
• SpotBugs Examples
• Rule Project Scaffolder