Skip to content

Update source exclusion pattern

Jason Leasure requested to merge update-source-file-filter into master

What does this MR do?

After spotbugs runs, bug instances in files not-deemed source are omitted.

Each directory determined to be a project is walked, and source files are accumulated for this purpose.

Currently, during that walk, if a path segment is named "gradle", it and all subdirectories are skipped. E.g. bug instances from the file src/gradle/X.kt would be omitted from the report.

This patch skips only the top-level "gradle" directory, relative to the project root. It further excludes any top-level ".git" or ".gradle" directory.

An example of a bug that would previously have been omitted has been added to the kotlin fixture.

What are the relevant issue numbers?

This MR indirectly addresses gitlab-org/gitlab#429384 (closed)

That issue includes an excerpt from a successful SAST pipeline showing one of over 100 exception traces logged by spotbugs.

Spotbugs catches exceptions in "detectors", dumps the stack, and continues analysis - this behavior is intentional, and considered "recoverable" - see the function logRecoverableException in the spotbugs source.

The pattern of these logged traces is Exception analyzing <target class name> using detector <spotbugs/findsecbugs detector class>, and every instance in the customer's log file occurs while analyzing external libraries.

Spotbugs completes with a successful error code, and generates an XML report with a large number of bug instances. All instances, however, are filtered by spotbugs-analyzer because either they're external or they're in a directory with a gradle path component. That latter criterion is what this MR addresses - overzealous filtering of bug instances.

Does this MR meet the acceptance criteria?

Edited by Jason Leasure

Merge request reports