SAST Gradle overlaps with SAST Groovy
Summary
If a Groovy project happens to be a Gradle project then SAST will perform the analysis twice, first using find-sec-bugs-gradle and then using find-sec-bugs-groovy. The former should not be triggered.
Everything's fine if this is a Gradle project with no Groovy files: find-sec-bugs-gradle will be the only analyzer triggered in that case.
See https://gitlab.com/gitlab-org/security-products/release/issues/38#note_101241781
Steps to reproduce
- Create a Java Gradle project with Groovy files
- Configure SAST
- Run the pipeline
Example Project
https://gitlab.com/gitlab-org/security-products/tests/java-groovy
What is the current bug behavior?
SAST tests the same project twice using FSB Groovy and FSB Gradle.
What is the expected correct behavior?
SAST should test the project only once using FSB Groovy.
Relevant logs and/or screenshots
https://gitlab.com/gitlab-org/security-products/tests/java-groovy/-/jobs/97441216
Possible fixes
Three ideas on how to fix this issue:
- make FSB Gradle ignore projects having Groovy files
- change SAST so that it scans a directory only once, make sure FSB Groovy comes first
- merge FSB Gradle with FSB Groovy