Refactor: Switch to `find-sec-bugs-cli` approach
What
In support of https://gitlab.com/gitlab-org/gitlab-ee/issues/8619, we need to revamp the capabilities of find-sec-bugs
to use the CLI approach in place of the plugin approach. This should better allow us to scan the post-build artifact *.class
files instead. There are 2 main benefits to this change:
- More uniformity in analyzers (this code is largely a port of
find-sec-bugs-sbt
. - More universal capability (this code works for multimodule project scans)
Additionally, I've upgraded the included find-sec-bugs
version to 1.8.0 with a number of internal fixes, better path traversal, and greater configuration support. Please see full changelog for 1.8.0 for more details.
Test script demoing this MR for a multi-module maven scan: https://gitlab.com/snippets/1798884
Test Cases
Project | Current Behavior | Expected Behavior | Notes |
---|---|---|---|
security-products/tests/java-maven-multimodules | no vulnerabilities | ||
security-products/tests/java-maven-multimodules (w/ vulnerability) | Output: Warnings generated: 3
|
||
security-products/tests/webgoat (v8.0.0) | Unclear failure, but root repo contains a number of complex supporting files. Failure: Output: Exception in thread "main" java.lang.UnsupportedOperationException . output.log
|
||
security-products/tests/webgoat (v8.0.0) - webgoat-lessons |
Output: Warnings generated: 68; Missing classes: 20
|
||
dansiviter/multi-module-failure (Issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/6733) | Output: No files to be analyzed . Fails as there are no source files. This is fixable w/ the addition of -noClassOk flag but when SAST is explicitly ran, a failure to locate project files seems a valid failure case. |
||
theoretick/maven-by-example-examples |
|
Output: Warnings generated: 678; Missing classes: 333 . NOTE: this does results in an OOM error on gitlab.com due to shared runner memory limitations, but works locally |
|
find-sec-bugs/find-sec-bugs-demos (juliet-test-suite-mini) |
|
Output: Warnings generated: 16 . |
|
find-sec-bugs/find-sec-bugs-demos (java-web-jsp) |
|
Output: Warnings generated: 2 . |
Regarding the abundant "Missing classes" errors, the issue appears linked to an outstanding bug in spotbugs: https://github.com/spotbugs/spotbugs/issues/6#issuecomment-439867198