Update source exclusion pattern
What does this MR do?
After spotbugs runs, bug instances in files not-deemed source are omitted.
Each directory determined to be a project is walked, and source files are accumulated for this purpose.
Currently, during that walk, if a path segment is named "gradle", it and all subdirectories are skipped. E.g. bug instances from the file src/gradle/X.kt
would be omitted from the report.
This patch skips only the top-level "gradle" directory, relative to the project root. It further excludes any top-level ".git" or ".gradle" directory.
An example of a bug that would previously have been omitted has been added to the kotlin fixture.
What are the relevant issue numbers?
This MR indirectly addresses gitlab-org/gitlab#429384 (closed)
That issue includes an excerpt from a successful SAST pipeline showing one of over 100 exception traces logged by spotbugs.
Spotbugs catches exceptions in "detectors", dumps the stack, and continues analysis - this behavior is intentional, and considered "recoverable" - see the function logRecoverableException
in the spotbugs source.
The pattern of these logged traces is Exception analyzing <target class name> using detector <spotbugs/findsecbugs detector class>
, and every instance in the customer's log file occurs while analyzing external libraries.
Spotbugs completes with a successful error code, and generates an XML report with a large number of bug instances. All instances, however, are filtered by spotbugs-analyzer
because either they're external or they're in a directory with a gradle
path component. That latter criterion is what this MR addresses - overzealous filtering of bug instances.
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer