Spotbugs-sast detects 0 vulnerabilities on projects using Ant

Summary

Spotbugs SAST analyzer always detects 0 vulnerabilities when scanning projects that use Ant build tool.

The behavior is the same whether one uses pre-compliation or spotbugs does the build.

This issue was created on behalf of a Large Ultimate SaaS customer who reported this problem happening on 4 different codebases in a support ticket.

I was able to reproduce this by running spotbugs-sast on several 3+ year old open source projects that use Ant. Thus far, I've been unable to find any examples of an Ant project where vulnerabilities are detected.

Steps to reproduce

1. Import a Java project that uses Ant
2. Enable SAST scanning
3. Note that spotbugs-sast job detects zero vulnerabilities.

Example Project

• https://github.com/zeionara/sampleant

What is the current bug behavior?

Zero vulnerabilities are detected by spotbugs-sast on projects that use Ant.

What is the expected correct behavior?

Spotbugs-sast finds at least one vulnerability in at least one project using Ant.

Relevant logs and/or screenshots

• CI Job Trace
• gl-sast-report.json

Output of checks

This problem occurs on GitLab.com

Results of GitLab environment info

This problem occurs on GitLab.com

Results of GitLab application Check

This problem occurs on GitLab.com

Possible fixes