Unable to exclude SpotBugs analyzer using SAST_EXCLUDED_ANALYZERS in SEP

Summary

One of our large customers has reported an issue with excluding spotbugs scanning when utilizing the Scan Execution Policy (SEP). They've observed that the Static Application Security Testing (SAST) scans for the spotbugs analyzer consistently fail, and they wish to exclude the spotbugs analyzer from the pipeline.

However, despite adding the SAST_EXCLUDED_ANALYZERS variable in the scan execution policy, the exclusion is not taking effect, and the spotbugs security scan job continues to trigger.

Steps to reproduce

Create new project and add some source code files to it (there shouldn't be any compiled code)
Create a SEP and set the SAST_EXCLUDED_ANALYZERS to exclude the spotbugs analyzer
Now make changes to the source code file and observe the pipeline (the spotbugs scan will run)

Example Project

https://gitlab.com/azhar_ultimate/exclude_exnalyse_policy_test

What is the current bug behavior?

Even when the variable SAST_EXCLUDED_ANALYZERS is set to exclude spotbugsanalyzer in the SEP, the scan is still running in the pipeline

What is the expected correct behavior?

Even when the variable SAST_EXCLUDED_ANALYZERS is set to exclude spotbugsanalyzer in the SEP, the scan shouldn't run.

Possible fixes

backend Security::SecurityOrchestrationPolicies::CiConfigurationService: in remove_rule_to_disable_job! method do not remove rule with _EXCLUDED_ANALYZERS pattern when Variable is provided in the policy,

Edited Feb 19, 2024 by Alan (Maciej) Paruszewski