Spotbugs analyzer - exclude dirs not working as expected
Summary
We are using https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs as part of SAST compliance framework.
/analyzer help run shows options like:
--ignored-dirs value Directory to be ignored (default: "bundle", "node_modules", "vendor", "tmp", "test", "tests") [$SEARCH_IGNORED_DIRS]
--excluded-paths value Comma-separated list of paths (globs supported) to be excluded from the output. [$SAST_EXCLUDED_PATHS]but when i have a directory /foo and that contains build.xml and i define $ANALYZER_TARGET_DIR as /
I tried to use cli options as well as env vars.. i still get
[INFO] [Spotbugs] [2023-11-10T10:48:06Z] ▶ GitLab Spotbugs analyzer v4.3.2
[INFO] [Spotbugs] [2023-11-10T10:48:06Z] ▶ Detecting project
[INFO] [Spotbugs] [2023-11-10T10:48:06Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Spotbugs] [2023-11-10T10:48:06Z] ▶ Running analyzer
[WARN] [Spotbugs] [2023-11-10T10:48:06Z] ▶ Java version not set in 'SAST_JAVA_VERSION' variable, using Java version - 17 as a fallback.
Read more about setting Java version under Analyzer Settings at: https://docs.gitlab.com/ee/user/application_security/sast
[INFO] [Spotbugs] [2023-11-10T10:48:08Z] ▶ Found Ant project in /foo directory
[INFO] [Spotbugs] [2023-11-10T10:48:08Z] ▶ Found Gradle project in /spotbugs directory
[INFO] [Spotbugs] [2023-11-10T10:48:08Z] ▶ Found 2 analyzable projects.
[INFO] [Spotbugs] [2023-11-10T10:48:08Z] ▶ Building Ant project at /foo.Steps to reproduce
- Use the SAST scanner template GitLab provides
- Set the variable
$SAST_EXCLUDED_PATHSand/or the$SEARCH_IGNORED_DIRSto '/foo' - Run the pipeline
Example Project
What is the current bug behavior?
The scanner will still scan the excluded directory, which extends the time of the build. With very large mono-repos and multi-module projects, building the entire project may take a very long time. By excluding certain directories, you should be able to reduce the run time for this job.
What is the expected correct behavior?
The scanner should NOT scan the excluded directories, to save time during the build phase.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)