Running sast-scan on M1 mac does not find anything.

[darkspirit510]

Hi all,

running sast-scan via docker:

docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v "$PWD":/app -v "$PWD/.shiftleftscan-reports":/app/reports shiftleft/scan:arm scan --src /app --type java

on apple M1 mac works without errors, but does not find anything. Any idea why this happens or if this is a bug?

(full script at https://github.com/darkspirit510/BenchmarkJava/blob/adapt-to-m1/scripts/runShiftLeftScan.sh)

[prabhu]

Could you set the environment variable -e SCAN_DEBUG_MODE=debug and share the logs?

[darkspirit510]

Sure! Here is the result:

███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██╔════╝██╔══██╗████╗  ██║
███████╗██║     ███████║██╔██╗ ██║
╚════██║██║     ██╔══██║██║╚██╗██║
███████║╚██████╗██║  ██║██║ ╚████║
╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

[11:07:51] INFO     Scanning /app using plugins ['java']                                                                                    
           DEBUG    ⚡︎ Executing class "java -jar /opt/spotbugs/lib/spotbugs.jar -textui -include /usr/local/src/lib/../spotbugs/include.xml
                    -exclude /usr/local/src/lib/../spotbugs/exclude.xml -noClassOk -auxclasspathFromFile /tmp/tmpju5ay69y -sourcepath /app  
                    -quiet -medium -xml:withMessages -effort:max -nested:false -output /app/reports/class-report.xml /app"                  

[11:08:05] DEBUG    SARIF and HTML report written to file: /app/reports/class-report.sarif, /app/reports/class-report.html 👍               
           DEBUG    ⚡︎ Executing source-java "/opt/pmd-bin/bin/run.sh pmd --no-cache --fail-on-violation false -language java -d /app -r    
                    /app/reports/source-java-report.csv -f csv -R /usr/local/src/lib/../rules-pmd.xml"                                      

[11:23:02] DEBUG    SARIF and HTML report written to file: /app/reports/source-java-report.sarif, /app/reports/source-java-report.html 👍   
[11:23:02] DEBUG    Aggregate report written to /app/reports/scan-full-report.json                                                          

           INFO     Baseline file written to /app/reports/.sastscan.baseline                                                                
                      Security Scan Summary                       
╔══════════════════════╤══════════╤══════╤════════╤═════╤════════╗
║ Tool                 │ Critical │ High │ Medium │ Low │ Status ║
╟──────────────────────┼──────────┼──────┼────────┼─────┼────────╢
║ Class File Analyzer  │        0 │    0 │      0 │   0 │   ✅   ║
║ Java Source Analyzer │        0 │    0 │      0 │   0 │   ✅   ║
╚══════════════════════╧══════════╧══════╧════════╧═════╧════════╝

[prabhu]

Thanks @darkspirit510. Perhaps the project has to be compiled first or scan has to be executed with SCAN_AUTO_BUILD=true as explained in https://slscan.io/en/latest/getting-started/#environment-variables

Since scan invokes pmd and spotbugs separately the score would simply match either pmd or spotbugs so this exercise isn't going to yield anything interesting. plus this project is deprecated so best to look for any alternatives for any serious apps.

[darkspirit510]

Is this different in the tags latest and arm? because it works as expected on latest using an intel pc.

[prabhu]

@darkspirit510 That is an interesting observation! Sorry, I don't have an M1 machine to test this, but given my lack of time would recommend using the intel machine to continue your testing.

[darkspirit510]

@prabhu you were right! i forgot to build the project. SCAN_AUTO_BUILD=true did not help, but a manual mvn compile did. Thank you!