Skip to content

8401 merge find sec bugs analyzers

Gilbert Roulot requested to merge 8401_merge_find_sec_bugs_analyzers into master

NOTE: Moved from find-sec-bugs!6 (closed), see that MR for more discussion on the testing and implementation

This merge request merges the 3 find-sec-bugs analyzers into one.

Changes:

  • Dockerfile uses alpine as a base, and installs the numerous SDK with the help of SDKMAN!
  • Match detects the presence of projects using Gradle, Gradlew, Grails, Maven, Mvnw, SBT or ANT. Static compilation is attempted with Gradle and its wrappers when in presence of .groovy files.
  • analyze:
    • detects all projects in the tree.
    • builds them.
    • run SpotBugs + Find Security Bugs plugin on them.
    • Correct the path of the source files so they are relative to the repository root.
    • Merge all results into one XML file with correct pathes, for convert to pick it up.
    • Direct SpotBugs to analyze only the packages making up the project. (to skip library jars analysis)
    • Support Multi-modules Maven projects.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/8401 Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6232 Refs https://gitlab.com/gitlab-org/gitlab-ee/issues/8935 Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/7271

Edited by Lucas Charles

Merge request reports