Description

At the moment, java-find-secbugs only allows users to exclude findings based on the the type of bug-pattern. Since the same finding can be a false positive in one part of the code (esp. since findsecbugs also includes library code) but a real problem in another, this PR adds the package
and classname to the error code.

Fixes #107

Type of change

• New feature (non-breaking change which adds functionality)

Toolchain

• Java
• Kotlin

How Has This Been Tested?

• Rebuild the Hawkeye Container to get all the tools

  $ docker build -t hawkeye-new .
  

• Get a Spring Boot project where findsecbugs detects problems in the library

  $ curl https://start.spring.io/starter.tgz \
           -d type=gradle-project \
           -d baseDir=spring-boot-java-gradle \
           -d language=java | tar -xzvf -
  $ cd spring-boot-java-gradle
  $ ./gradlew build
  

• Run Hawkeye against the project. You should see some findings from find-secbugs about spring boot internals and see the extended code

  $ docker run --rm -v $PWD:/target hawkeye-new scan --show-code -m java-find-secbugs
  

• Run Hawkeye again, this time excluding org.springframework. Hawkeye should come back without findings

  $ docker run --rm -v $PWD:/target hawkeye-new scan --show-code -m java-find-secbugs  --exclude '.*-org\.springframework.*'
  

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (no related documentation)
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes