SAST for Java Maven fails: Source option 5 is no longer supported.
Summary
The Find Sec Bugs analyzer for SAST fails when compiling a Maven project prior to analyzing the Java bytecode:
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
Steps to reproduce
Create a Java Maven project with a pom.xml file, enable SAST and run the CI pipeline.
Example Project
Right now the analyzer fails to analyze its own test project: https://gitlab.com/gitlab-org/security-products/analyzers/find-sec-bugs/tree/v1.3.0/test/fixtures/app
This started 2 weeks ago: gitlab-org/security-products/analyzers/find-sec-bugs@cfe17263
Here's the last time the pipeline succeeded: https://gitlab.com/gitlab-org/security-products/analyzers/find-sec-bugs/-/jobs/142694737
What is the current bug behavior?
Compilation of Maven project fails.
What is the expected correct behavior?
Compilation passes (and the analyzer generates a report).
Relevant logs and/or screenshots
See https://gitlab.com/gitlab-org/security-products/analyzers/find-sec-bugs/-/jobs/150315236
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 76 kB/s)
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 1 source file to /tmp/project/app/target/classes
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
[INFO] 2 errors
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 35.123 s
[INFO] Finished at: 2019-01-24T04:26:39Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project java-maven: Compilation failure: Compilation failure:
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
2019/01/24 04:26:39 exit status 1
ERROR: Job failed: exit code 1
Possible fixes
2 possible fixes:
- upgrade to a newer version of Spot Bugs Maven plugin
- compile the project without that Spot Bugs plugin and use the FSB cli
/cc @@plafoucriere @theoretick