Spotbugs fails to build search-byoc

During the spotbugs-sast step, the analyzer begins by compiling (mvn install) the various projects it finds. This is required for the spotbugs tool, which operates on the built java code.

For search, this is failing for the search-byoc project. Because of the compilation error, none of the spotbugs findings are reported.

Parent-Child POMs

The OSDU Data Platform utilizes a parent-child pom structure for most services. Normally, you would only run the mvn install on the parent -- doing so on the children is unnecessary -- and in this case, there are dependencies specified in the parent that are needed in the child. GitLab is already aware of this limitation to the spotbugs scanner.

Possible Workaround

The compilation step can be turned off, which is something GitLab recommends for complicated or custom build processes. We can then build the projects using only the parents (like we do in compile-and-unit-test).

The build logic needs to be added to the spotbugs-sast job -- even though we built it previously in the pipeline (and passed the target/ folders along as artifacts), the final install location is the .m2 cache, which is stored as runner cache (not artifacts). Therefore, we can't know reliably that the runner that happened to pick up the spotbugs-sast job is the same one that executed the compile-and-unit-test job. That said, we can speed things up by running mvn install without doing a clean rebuild -- the target/ folders will be current.