Perform SAST on result of AutoDevOps' build job (Java & Scala)
Description
When performing SAST on a Java or Scala project,
SAST needs to build the project so that Find Security Bugs
can process the .class
and .jar
files.
Right now the build step is handled by SAST itself but this approach has two limitations:
- Efficiency. Building a project usually involves contacting many repos, downloading many packages and compiling many source files. It consumes both CPU time and bandwidth.
- Complexity. Right now SAST only cover the most common build scenarios. We could go further and add multiple settings and build configurations but SAST would get more complex and difficult to maintain.
This is only a concern for Java and Scala projects but it's likely to become an issue for other languages in the future.
Proposal
Re-use the result of the build
job. This must include both the compiled classes and the JARs that have been downloaded to satisfy the dependencies - these are needed by Find Security Bugs.