SAST Gradle overlaps with SAST Groovy

Summary

If a Groovy project happens to be a Gradle project then SAST will perform the analysis twice, first using find-sec-bugs-gradle and then using find-sec-bugs-groovy. The former should not be triggered.

Everything's fine if this is a Gradle project with no Groovy files: find-sec-bugs-gradle will be the only analyzer triggered in that case.

See https://gitlab.com/gitlab-org/security-products/release/issues/38#note_101241781

Steps to reproduce

• Create a Java Gradle project with Groovy files
• Configure SAST
• Run the pipeline

Example Project

https://gitlab.com/gitlab-org/security-products/tests/java-groovy

What is the current bug behavior?

SAST tests the same project twice using FSB Groovy and FSB Gradle.

What is the expected correct behavior?

SAST should test the project only once using FSB Groovy.

Relevant logs and/or screenshots

https://gitlab.com/gitlab-org/security-products/tests/java-groovy/-/jobs/97441216

Possible fixes

Three ideas on how to fix this issue:

• make FSB Gradle ignore projects having Groovy files
• change SAST so that it scans a directory only once, make sure FSB Groovy comes first
• merge FSB Gradle with FSB Groovy