Refactor: Switch to `find-sec-bugs-cli` approach
What
In support of https://gitlab.com/gitlab-org/gitlab-ee/issues/8619, we need to revamp the capabilities of find-sec-bugs to use the CLI approach in place of the plugin approach. This should better allow us to scan the post-build artifact *.class files instead. There are 2 main benefits to this change:
- More uniformity in analyzers (this code is largely a port of
find-sec-bugs-sbt. - More universal capability (this code works for multimodule project scans)
Additionally, I've upgraded the included find-sec-bugs version to 1.8.0 with a number of internal fixes, better path traversal, and greater configuration support. Please see full changelog for 1.8.0 for more details.
Test script demoing this MR for a multi-module maven scan: https://gitlab.com/snippets/1798884
Test Cases
| Project | Current Behavior | Expected Behavior | Notes |
|---|---|---|---|
| security-products/tests/java-maven-multimodules | no vulnerabilities | ||
| security-products/tests/java-maven-multimodules (w/ vulnerability) | Output: Warnings generated: 3
|
||
| security-products/tests/webgoat (v8.0.0) | Unclear failure, but root repo contains a number of complex supporting files. Failure: Output: Exception in thread "main" java.lang.UnsupportedOperationException. output.log
|
||
security-products/tests/webgoat (v8.0.0) - webgoat-lessons |
Output: Warnings generated: 68; Missing classes: 20
|
||
| dansiviter/multi-module-failure (Issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/6733) | Output: No files to be analyzed. Fails as there are no source files. This is fixable w/ the addition of -noClassOk flag but when SAST is explicitly ran, a failure to locate project files seems a valid failure case. |
||
| theoretick/maven-by-example-examples |
|
Output: Warnings generated: 678; Missing classes: 333. NOTE: this does results in an OOM error on gitlab.com due to shared runner memory limitations, but works locally |
|
| find-sec-bugs/find-sec-bugs-demos (juliet-test-suite-mini) |
|
Output: Warnings generated: 16. |
|
| find-sec-bugs/find-sec-bugs-demos (java-web-jsp) |
|
Output: Warnings generated: 2. |
Regarding the abundant "Missing classes" errors, the issue appears linked to an outstanding bug in spotbugs: https://github.com/spotbugs/spotbugs/issues/6#issuecomment-439867198