Stop running spotbugs for java files
Proposal
- Remove line: https://gitlab.com/gitlab-org/gitlab/-/blob/07d922c66d33e13682ea22ea4a762ac6c07e56a4/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml#L301
-
Remove java from https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/blob/master/project/project.go#L43 and other relevant places- Let's keep the analyzer able to run Java if customers need it to. The reason is that we may encounter bugs like #361766 (comment 952361646) and it is better to have the analyzer still be capable of scanning Java than to require users to pin to an older version to gain that behavior. Once we've gotten a handle on the Semgrep issues we can re-consider removing SpotBugs' ability to scan Java.
Reference Issue
Implementation Plan
-
Remove .java
support from Spotbugs CI template | !86013 (closed) -
Remove| gitlab-org/security-products/analyzers/spotbugs!139 (closed).java
support from Spotbugs analyzer
Edited by Connor Gilbert