SAST Scanning fails when setup as a multi-module Maven project
We have tried to add sast to our java maven project using the following job
sast:
image: docker:stable
stage: validate
tags:
- docker
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--env MAVEN_OPTS="-B -Dmaven.repo.local=/tmp/app/.m2 -Dapi.version=${API_VERSION} -Dbuild.profile.id=${BUILD_PROFILE}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
dependencies:
- prepare:maven
artifacts:
paths: [gl-sast-report.json]
But the result is always
2018/05/23 07:07:10 [find-sec-bugs] Detect project using plugin
2018/05/23 07:07:10 [find-sec-bugs] Project is compatible
2018/05/23 07:07:10 [find-sec-bugs] Starting analyzer...
10-8-stable: Pulling from gitlab-org/security-products/analyzers/find-sec-bugs
Digest: sha256:11eb89ab06b37288a92d427b70d286b69e19dc1209f8fcc5de48a833d58e5d5f
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/find-sec-bugs:10-8-stable
Found project in /tmp/app
2018/05/23 07:07:18 open /tmp/app/target/spotbugsXml.xml: no such file or directory
2018/05/23 07:07:22 Container exited with non zero status code
Do we need to add somthing to our pom.
Second report
Summary
SAST Scanning fails when setup as a multi-module Maven project.
Steps to reproduce
- Create a multi-module Maven project with two modules.
- Enable Dependency Scanning in
.gitlab-ci.yml
Example Project
https://gitlab.com/dansiviter/multi-module-failure
What is the current bug behavior?
It appears to be unable to locate a /tmp/app/target/spotbugsXml.xml
file.
What is the expected correct behavior?
The testing completes and results returned.
Relevant logs and/or screenshots
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.269 s
[INFO] Finished at: 2018-07-02T11:02:26Z
[INFO] ------------------------------------------------------------------------
2018/07/02 11:02:26 open /tmp/app/target/spotbugsXml.xml: no such file or directory
2018/07/02 11:02:29 Container exited with non zero status code
ERROR: Job failed: exit code 1
See linked pipeline for example: https://gitlab.com/dansiviter/multi-module-failure/-/jobs/78759837
Output of checks
This bug happens on GitLab.com
Possible fixes
Unknown
Edited by Fabio Busatto