8401 merge find sec bugs analyzers
NOTE: Moved from find-sec-bugs!6 (closed), see that MR for more discussion on the testing and implementation
This merge request merges the 3 find-sec-bugs analyzers into one.
Changes:
- Dockerfile uses alpine as a base, and installs the numerous SDK with the help of SDKMAN!
-
Match
detects the presence of projects using Gradle, Gradlew, Grails, Maven, Mvnw, SBT or ANT. Static compilation is attempted with Gradle and its wrappers when in presence of .groovy files. -
analyze
:- detects all projects in the tree.
- builds them.
- run SpotBugs + Find Security Bugs plugin on them.
- Correct the path of the source files so they are relative to the repository root.
- Merge all results into one XML file with correct pathes, for
convert
to pick it up. - Direct SpotBugs to analyze only the packages making up the project. (to skip library jars analysis)
- Support Multi-modules Maven projects.
Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/8401 Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6232 Refs https://gitlab.com/gitlab-org/gitlab-ee/issues/8935 Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/7271
Edited by Lucas Charles