spotbugs Docker image fails on Mac OS when using sbt >= 1.4.0

Summary

The GitLab spotbugs Docker image registry.gitlab.com/security-products/spotbugs fails to produce a gl-sast-report.json and exits with status code 2 on Mac OS X. This is due to the fact that the spotbugs Docker image is using sbt >= 1.4.0.

Note: This bug is the same as gemnasium-maven fails on Mac OS when using sbt ... (#363487 - closed) • Adam Cohen • 15.1 • On track.

Steps to reproduce

$ docker pull registry.gitlab.com/security-products/spotbugs:5.4.0
$ git clone git@gitlab.com:gitlab-org/security-products/analyzers/spotbugs.git && cd spotbugs
$ docker run -it --rm -v "$PWD/qa/fixtures/scala:/ci-project-dir" \
  -e CI_PROJECT_DIR=/ci-project-dir \
  -e SECURE_LOG_LEVEL=debug registry.gitlab.com/security-products/spotbugs:5.4.0

[INFO] [Spotbugs] [2024-09-18T00:49:42Z] [/go/src/app/project/builder.go:190] ▶ Building SBT project at /ci-project-dir.

[ERRO] [Spotbugs] [2024-09-18T00:50:01Z] [/go/src/app/utils/utils.go:78] ▶ command exec failure
 command: '/opt/asdf/shims/sbt --info compile'
 error: exit status 2
 output:
copying runtime jar...
[info] [launcher] getting org.scala-sbt sbt 1.6.2  (this may take some time)...
[info] [launcher] getting Scala 2.12.15 (for sbt)...

[ERRO] [Spotbugs] [2024-09-18T00:50:01Z] [/go/src/app/project/builder.go:192] ▶ Project couldn't be built: exit status 2

[FATA] [Spotbugs] [2024-09-18T00:50:01Z] [/go/src/app/main.go:35] ▶ exit status 2

Example Project

What is the current bug behavior?

spotbugs fails with status code 2.

What is the expected correct behavior?

spotbugs should succeed with status code 0 and produce a gl-sast-report.json file.

Implementation Plan

Note: This implementation plan is the same as gemnasium-maven fails on Mac OS when using sbt ... (#363487 - closed) • Adam Cohen • 15.1 • On track.

Pass the arguments --batch -Dsbt.server.forcestart=true to the sbt command:

diff --git a/project/builder.go b/project/builder.go
index 814375f..93dc597 100644
--- a/project/builder.go
+++ b/project/builder.go
@@ -234,7 +234,7 @@ var builders = []builder{
                                if log.GetLevel() >= log.DebugLevel {
                                        logArg = "--info"
                                }
-                               args := []string{logArg, "compile"}
+                               args := []string{logArg, "compile", "--batch", "-Dsbt.server.forcestart=true"}
                                cmd := utils.SetupCmdNoStd(p.Path, exec.Command(c.String(FlagSBTPath), args...))
                                return utils.RunCmd(cmd)
                        })

We can't add any integration tests for the above change, because this only happens on Mac OS X, so it's not reproducible in CI, unfortunately.

/cc @tkopel

Edited by Adam Cohen