spotbugs / spotbugs-maven-plugin Goto Github PK

This project forked from gleclaire/findbugs-maven-plugin

Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer

Home Page: https://spotbugs.github.io/spotbugs-maven-plugin/

License: Apache License 2.0

Java 1.07% Groovy 47.50% HTML 45.59% CSS 5.84%

spotbugs-maven-plugin's Introduction

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.

SpotBugs is licensed under the GNU LESSER GENERAL PUBLIC LICENSE.

More information at the official website. A lot of things can still be found at the old FindBugs website.

Build

SpotBugs is built using Gradle. The recommended way to obtain it is to simply run the gradlew (or gradlew.bat) wrapper, which will automatically download and run the correct version as needed (using the settings in gradle/wrapper/gradle-wrapper.properties).

Building SpotBugs requires JDK 21 to run all the tests (using SpotBugs requires JDK 8 or above).

To see a list of build options, run gradle tasks (or gradlew tasks). The build task will perform a full build and test.

To build the SpotBugs plugin for Eclipse, you'll need to create the file eclipsePlugin/local.properties, containing a property eclipseRoot.dir that points to an Eclipse installation's root directory (see .github/workflows/release.yml for an example), then run the build. To prepare Eclipse environment only, run ./gradlew eclipse. See also detailed steps.

Using SpotBugs

SpotBugs can be used standalone and through several integrations, including:

Questions?

You can contact us using GitHub Discussions.

spotbugs-maven-plugin's People

Contributors

Stargazers

Watchers

spotbugs-maven-plugin's Issues

Update Continuous Integration to test against Java 11

Groovydocs fail on site since groovy 2.5.0

Commented these out on 8144aca

Need to review what the issue is. Our site has been broken for a while. This issue only occurs after groovy 2.5.0+ upgrade. I confirmed dropping back to 2.4.15 was working.

java.lang.IllegalArgumentException with Java 10?

We are getting a lot of java.lang.IllegalArgumentException when trying to run this plugin with Java 10. But the changelog for Spotbugs gives me the impression it should be working. Are we missing --add-modules java.xml.bind or something of the likes somewhere?

EDIT: We're using maven 3.5.3 if it matters. //edit

Couldn't get class info for java/util/concurrent/Callable                                                                                                                                                        
 java.lang.IllegalArgumentException                                                                                                                                                                              
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:160)                                                                                                                                                 
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:143)                                      
   At edu.umd.cs.findbugs.asm.FBClassReader.<init>(FBClassReader.java:35)                             
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:48)                                                                                              
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:34)                                                                                              
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:75)                                                                                                      
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)                                                                                                      
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.ba.XFactory.getXClass(XFactory.java:687)                                    
   At edu.umd.cs.findbugs.ba.AnalysisContext.setAppClassList(AnalysisContext.java:970)                
   At edu.umd.cs.findbugs.FindBugs2.setAppClassList(FindBugs2.java:876)                               
   At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:222)                                       
   At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:401)                                         
   At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1187)                                         
Couldn't get class info for java/util/concurrent/ForkJoinPool                                         
 java.lang.IllegalArgumentException              
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:160)                                      
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:143)                                      
   At edu.umd.cs.findbugs.asm.FBClassReader.<init>(FBClassReader.java:35)                             
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:48)                                                                                              
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:34)                                                                                              
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:75)                                                                                                      
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)                                                                                                      
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.ba.XFactory.getXClass(XFactory.java:687)                                    
   At edu.umd.cs.findbugs.ba.AnalysisContext.setAppClassList(AnalysisContext.java:970)                
   At edu.umd.cs.findbugs.FindBugs2.setAppClassList(FindBugs2.java:876)                               
   At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:222)                                       
   At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:401)                                         
   At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1187)                                         
Couldn't get class info for javax/xml/bind/JAXBElement                                                
 java.lang.IllegalArgumentException              
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:160)                                      
   At org.objectweb.asm.ClassReader.<init>(ClassReader.java:143)                                      
   At edu.umd.cs.findbugs.asm.FBClassReader.<init>(FBClassReader.java:35)                             
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:48)                                                                                              
   At edu.umd.cs.findbugs.classfile.engine.asm.ClassReaderAnalysisEngine.analyze(ClassReaderAnalysisEngine.java:34)                                                                                              
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:75)                                                                                                      
   At edu.umd.cs.findbugs.classfile.engine.ClassInfoAnalysisEngine.analyze(ClassInfoAnalysisEngine.java:38)                                                                                                      
   At edu.umd.cs.findbugs.classfile.impl.AnalysisCache.getClassAnalysis(AnalysisCache.java:262)       
   At edu.umd.cs.findbugs.ba.XFactory.getXClass(XFactory.java:687)                                    
   At edu.umd.cs.findbugs.ba.AnalysisContext.setAppClassList(AnalysisContext.java:970)                
   At edu.umd.cs.findbugs.FindBugs2.setAppClassList(FindBugs2.java:876)                               
   At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:222)                                       
   At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:401)                                         
   At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1187)

org.dom4j.DocumentException: Failing reading the exclude file

I'm using SpotBugs 3.1.8 via the spotbugs-maven-plugin 3.1.8. I'm getting the following error. Unfortunately, this output is with maximum debug/traces turned on. There is no other information. Nothing at all indicates what's wrong with my file.

     [java] The following errors occurred during analysis:
     [java]   Unable to read filter: /path/to/project/Core/target/spotbugs-exclude.xml : Failing reading /path/to/project/Core/target/spotbugs-exclude.xml
     [java]     org.dom4j.DocumentException: Failing reading /path/to/project/Core/target/spotbugs-exclude.xml
     [java]       At edu.umd.cs.findbugs.SortedBugCollection.readXML(SortedBugCollection.java:276)
     [java]       At edu.umd.cs.findbugs.SortedBugCollection.readXML(SortedBugCollection.java:257)
     [java]       At edu.umd.cs.findbugs.ExcludingHashesBugReporter.addToExcludedInstanceHashes(ExcludingHashesBugReporter.java:57)
     [java]       At edu.umd.cs.findbugs.ExcludingHashesBugReporter.<init>(ExcludingHashesBugReporter.java:44)
     [java]       At edu.umd.cs.findbugs.FindBugs.configureBaselineFilter(FindBugs.java:529)
     [java]       At edu.umd.cs.findbugs.FindBugs2.excludeBaselineBugs(FindBugs2.java:377)
     [java]       At edu.umd.cs.findbugs.FindBugs2.configureFilters(FindBugs2.java:484)
     [java]       At edu.umd.cs.findbugs.FindBugs2.setUserPreferences(FindBugs2.java:473)
     [java]       At edu.umd.cs.findbugs.TextUICommandLine.configureEngine(TextUICommandLine.java:672)
     [java]       At edu.umd.cs.findbugs.FindBugs.processCommandLine(FindBugs.java:365)
     [java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1175)

I've confirmed that it's not a matter of it not finding the file, because I changed the configured name of the file and I got a different error (that the name couldn't be found). So it is definitely finding my file, it just can't parse it and won't tell me why.

Here is my plugin configuration:

<plugin>
    <groupId>com.github.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.1.8</version>
    <configuration>
        <effort>Max</effort>
        <excludeBugsFile>build/spotbugs-exclude.xml</excludeBugsFile>
        <threshold>Low</threshold>
        <xmlOutput>true</xmlOutput>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Here is my spotbugs-exclude.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<!--

    Copyright © 2010-2019 OddSource Code ([email protected])

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

-->
<FindBugsFilter xmlns="https://github.com/spotbugs/filter/3.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
    <Match>
        <Class name="a.b.c.ImmutableArrayList" />
        <Bug pattern="BC_BAD_CAST_TO_CONCRETE_COLLECTION" />
    </Match>

    <Match>
        <Class name="a.b.c.ImmutableLinkedHashSet" />
        <Bug pattern="BC_BAD_CAST_TO_CONCRETE_COLLECTION" />
    </Match>

    <Match>
        <Class name="a.b.c.ObjectSerializer" />
        <Method name="readObject" />
        <Bug pattern="DE_MIGHT_IGNORE" />
    </Match>

    <Match>
        <Class name="a.b.c.FileLicenseProvider" />
        <Method name="getLicenseData" />
        <Bug pattern="PZLA_PREFER_ZERO_LENGTH_ARRAYS" />
    </Match>
</FindBugsFilter>

I have no idea what the problem here is, but there is definitely a bug, and it's one of the following:

There is actually something wrong with my file (which I wrote according to the documentation), but SpotBugs does not properly tell me what that problem is in the error message.
There is nothing wrong with my file, bug SpotBugs is failing to parse it due to some bug in the parser.

For what it's worth, I have tried taking the xmlns/xsd stuff out of the file, and it made no difference.

Plugin fails on macOS 10.13 (High Sierra) with ArrayIndexOutOfBoundsException

A minimal project with one class and no methods evidences this error. I've made a simple project which demonstrates this issue at https://github.com/twohey/spotbugs-bug

$ java -version
java version "9"
Java(TM) SE Runtime Environment (build 9+181)
Java HotSpot(TM) 64-Bit Server VM (build 9+181, mixed mode)

$ uname -a
Darwin twohey-book.local 17.0.0 Darwin Kernel Version 17.0.0: Thu Aug 24 21:48:19 PDT 2017; root:xnu-4570.1.46~2/RELEASE_X86_64 x86_64

Plugin bug descriptions do not show in GUI

I'm not sure if I should file this here or in the GUI project, but since I run the GUI through the maven plugin, I'll start here.

I have several plugins configured to run through the maven plugin:

<plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>3.1.0-RC6</version>
                <configuration>
                    <plugins>
                        <plugin>
                            <groupId>com.mebigfatguy.fb-contrib</groupId>
                            <artifactId>fb-contrib</artifactId>
                            <version>LATEST</version>
                        </plugin>
                        <plugin>
                            <groupId>com.h3xstream.findsecbugs</groupId>
                            <artifactId>findsecbugs-plugin</artifactId>
                            <version>LATEST</version>
                        </plugin>
                        <plugin>
                            <groupId>jp.skypencil.findbugs.slf4j</groupId>
                            <artifactId>bug-pattern</artifactId>
                            <version>LATEST</version>
                        </plugin>
                    </plugins>
                </configuration>
            </plugin>

and they run and generate bugs. But, when I run mvn spotbugs:gui they show up as "Unknown Bug Pattern" and I don't see the JARs in the classpath.

Make outputSpotbugsFile configurable

Hi,

Would it be possible to make outputSpotbugsFileName configurable? I've got couple of old, annoying and unmaintained tool at my company, which is required by our management to collect report from findbugs. It has hardcoded findbugs output file name as findbugsXml.xml. We would like to switch to spotbugs, but I'm not even going to force my company to force 3rd party company to fix their tooling and add support for spotbugs.

Could you consider making output report name configurable? (instead of spotbugsXml.xml). I would be happy to provide PR (adding parameter spotbugsXmlOutputFileName or outputSpotbugsFileName) for that.

Best regards,
Michal

Update vulnerable dependencies

./mvnw site reports following warning:

One or more dependencies were identified with known vulnerabilities in SpotBugs Maven Plugin:
httpclient-4.0.2.jar (cpe:/a:apache:httpclient:4.0.2, org.apache.httpcomponents:httpclient:4.0.2) : CVE-2015-5262, CVE-2014-3577
maven-core-3.0.jar (cpe:/a:apache:maven:3.0.4, org.apache.maven:maven-core:3.0) : CVE-2013-0253
xbean-reflect-3.7.jar (cpe:/a:apache:geronimo:3.7, org.apache.xbean:xbean-reflect:3.7) : CVE-2008-0732
groovy-2.4.14.jar (cpe:/a:apache:groovy:2.4.14, org.codehaus.groovy:groovy:2.4.14) : CVE-2016-6497
lombok-1.16.18.jar (cpe:/a:spice_project:spice:1.16.18, org.projectlombok:lombok:1.16.18) : CVE-2016-2150, CVE-2016-0749
plexus-build-api-0.0.7.jar (cpe:/a:spice_project:spice:0.0.7, org.sonatype.plexus:plexus-build-api:0.0.7) : CVE-2016-2150, CVE-2016-0749, CVE-2015-5261, CVE-2015-5260, CVE-2013-4130
plexus-cipher-1.4.jar (cpe:/a:spice_project:spice:1.4, org.sonatype.plexus:plexus-cipher:1.4) : CVE-2016-2150, CVE-2016-0749
plexus-sec-dispatcher-1.3.jar (cpe:/a:spice_project:spice:1.3, org.sonatype.plexus:plexus-sec-dispatcher:1.3) : CVE-2016-2150, CVE-2016-0749

See the dependency-check report for more details.

ReadTheDocs links are broken to maven site

https://spotbugs.readthedocs.io/en/stable/maven.html links to all of the goals are broken. Additionally, going to the site, clicking on goals on the left side is broken: https://spotbugs.github.io/spotbugs-maven-plugin/

Missing 3.1.3.1 tag

Hi,

Could you push the 3.1.3.1 tag?

Thanks!

XML file encoding is missing in XML output file

With the last spotbugs-maven-plugin, in 3.1.6 version, I'm not able to generate the maven-site report.
It was OK with findbugs, but I can't make it work with spotbugs.
My source and report encodings are CP1252 (I have many other reports like checkstyle, dependencies, javadoc, ...).

The generated spotbugsXml.xml does not contains a line like :
<?xml version="1.0" encoding="CP1252"?>

So the maven-site plugin fails (assuming it is UTF-8) on the following error :
Error during site generation: Invalid byte 2 of 3-byte UTF-8 sequence
I was expecting that the outputEncoding parameter could set the XML encoding, but not.

Is that a bug or did I missed something ?

Lockup in maven concurrent build, with fork=false

I've just added spotbugs to a QA build that already had PMD and errorprone, the build times on Travis went through the roof, from 17m to 44m (parallel build, -T1C), which is dangerously close to the Travis max build time limit.

So I've tried to disable forking spotbugs hoping to get a speedup, but the build locked up after a few modules.

Here is a jstack:
spotbugs-jstack.txt

RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE with JDK-11

I get RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE when I compile my project with JDK-11 although when I compile same code with JDK-8, no error is reported by spotbugs.

I was able to create a code example that causes this:

package stuchy.piskoviste.hracka1;

import java.io.IOException;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.Path;

/**
 * Hello world!
 */
public class App {
    public static void main(String[] args) {
        Path file = new java.io.File("/tmp").toPath();
        try {
            if (file != null) {
                try (DirectoryStream<Path> stream = Files.newDirectoryStream(file)) {
                    for (Path child : stream) {
                    }
                }
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

Generated spotbugs error:

[ERROR] Nullcheck of stream at line 17 of value previously dereferenced in stuchy.piskoviste.hracka1.App.main(String[]) [stuchy.piskoviste.hracka1.App, stuchy.piskoviste.hracka1.App] At App.java:[line 17]Redundant null check at App.java:[line 19] RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE

JDKs used:

java version "11" 2018-09-25
Java(TM) SE Runtime Environment 18.9 (build 11+28)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11+28, mixed mode)

and

openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b15)
OpenJDK 64-Bit Server VM (build 25.181-b15, mixed mode)

SpotBugs version used is 3.1.7

[Docs] The docs about the Spotbugs Maven plug-in contains broken links

Hi,

The links to the maven goals in https://github.com/spotbugs/spotbugs/blob/master/docs/maven.rst result in a 404.

Too many opened file handles to spotbugs plugins

We are running the spotbugs-maven-plugin programmatically in a multi-module Maven project. This is why it is difficult to describe the exact spotbugs maven plugin configuration, this is why I will attach part of the Maven debug logs, where this can be seen:

spotbugs-config.txt

While trying to set up a Jenkins job, we faced ‘Too many open files’ problem causing the build to fail.

We started investigating the problem and found out that there is a huge number of opened files (spotbugs plugins).

I attach here the output of the following command ls -l /proc/MAVEN_PID/fd/ > openfiles.txt:

openfiles.txt

They are all located in the target directory.

Used spotbugs-maven-plugin/3.1.3 with spotbugs 3.1.2

Analysis Properties

Hello,

Is there some way to set the Analysis Properties when using the maven plugin?

Thank you

Don't output to INFO, but to WARN or ERROR instead

When running mvn spotbugs:check it outputs all bugs to INFO:

[INFO] Private method ...
UPM_UNCALLED_PRIVATE_METHOD

This hardly catches one's attention.
Maven 3.5 supports colorizing output and prints warnings in yellow and errors in red.

I suggest to print bugs as those (warn or errors), so that developers more easily sees them in Maven output. Especially useful if not failing the build (<failOnError>false</failOnError>)

spotbugs or findsecbugs create directory in target which it shouldnt

I am currently using spotbugs and i use it using maven, so i put these lines in my pom in reporting plugins

<plugin>
<groupId>com.github.spotbugs</groupId>
  <artifactId>spotbugs-maven-plugin</artifactId>
  <version>3.1.1</version>
<configuration>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>LATEST</version>
<!-- Auto-update to the latest stable -->
</plugin>
</plugins>
</configuration>
</plugin>

but there is a problem.
when i execute site:site it create some directory inside my target folder.
the directory is
C_\Users\ [myUserName] \ .m2\repository\com\h3xstream\findsecbugs\findsecbugs-plugin\1.7.1
and findsecbugs-plugin-1.7.1.jar is inside this directory.
like it should be
C:\Users\ [myUserName] \ .m2\repository\com\h3xstream\findsecbugs\findsecbugs-plugin\1.7.1
but somebody accidentally use '_' instead of ':' .

mvn clean spotbugs:check give no errors as it runs on classes, so add a warning to users that miss compile

steps:

$ git clone [email protected]:checkstyle/checkstyle.git 
$ cd checkstyle
$ mvn clean spotbugs:check
[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building checkstyle 8.13-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:3.1.0:clean (default-clean) @ checkstyle ---
[INFO] Deleting /home/rivanov/java/github/checkstyle/checkstyle/target
[INFO] 
[INFO] >>> spotbugs-maven-plugin:3.1.6:check (default-cli) > :spotbugs @ checkstyle >>>
[INFO] 
[INFO] --- spotbugs-maven-plugin:3.1.6:spotbugs (spotbugs) @ checkstyle ---
[INFO] 
[INFO] <<< spotbugs-maven-plugin:3.1.6:check (default-cli) < :spotbugs @ checkstyle <<<
[INFO] 
[INFO] --- spotbugs-maven-plugin:3.1.6:check (default-cli) @ checkstyle ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.783 s
[INFO] Finished at: 2018-08-30T16:44:18-07:00
[INFO] Final Memory: 28M/397M
[INFO] ------------------------------------------------------------------------

upgade from 3.0.X to 3.1.1 that demands maven upgrade to 3.5.2

Is there a good reason to stick with most recent 3.5.2 maven core ?
765a70a

can it be some lowered to 3.2 version or even below 3.2 ?

Upgrade to new version is very complicated,
see details at checkstyle/checkstyle#5525 , I would say in our case , it is impossible to upgrade.

Readme refers to a SNAPSHOT version which is incorrect

It seems the README is referring to a 3.1.0-SNAPSHOT version which is not available in maven central. We need to modify that as 3.1.1

<!-- https://mvnrepository.com/artifact/com.github.spotbugs/spotbugs-maven-plugin -->
<dependency>
    <groupId>com.github.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.1.1</version>
</dependency>

Introduce verify goal (similar to failsafe plugin)

Right now we can use either the spotbugs goal which performs the analysis, or the check goal which performs the analysis and fails the build if violations are detected.

It would be nice to have another goal (similar to Maven Failsafe Plugin's verify goal) which fails the build if the spotbugsXml.xml report contains violations, without invoking the spotbugs goal. This way, it would be possible to split the analysis and verification into lifecycle phases of our choosing.

One use case is running multiple code analyzers at once and only failing the build at a later stage, so that all of them have a chance to run.

lifecycle-mapping-metadata.xml should contain goal of spotbugs-maven-plugin

At here we have <goal>compile</goal>. The compile is not goal of our plugin but phase in Maven lifecycle. It should be <goal>check</goal> to run SpotBugs plugin at the timing to build.

refs https://www.eclipse.org/m2e/documentation/m2e-making-maven-plugins-compat.html

site goal fails on spotbugs branch & oraclejdk8

Example: https://travis-ci.org/spotbugs/spotbugs-maven-plugin/jobs/361014422
This problem is maybe related with jeremylong/DependencyCheck#523

Groovy currently is on embedded 6.1 version of ASM causing problems building with jdk11.

Support for incremental analysis

This is more of a question than reporting a issue, does this support doing incremental analysis by adding
cache property to plugin configuration ?
Or something on the similar lines, the general idea is , if only 5 lines of code were changed since last commit, spotbugs does not need to analyze the entire repository code.

Update to spotbugs 3.1.4 and release spotbugs-maven-plugin v3.1.4

spotbugs is released in v3.1.4 so it would be nice to have the corresponding spotbugs-maven-plugin version.

Update to Spotbugs version 3.1.7

Spotbugs version 3.1.7 was released recently. The plugin needs to be updated.

Add more documentation

I was reading through https://spotbugs.github.io/spotbugs-maven-plugin/check-mojo.html
and it lacks a lot of documentation.

Most or all properties have (no description).

As a developer I want to know what all these properties do.
E.g. I tried <relaxed>true</relaxed> and noticed that there is more output, i.e. bug analysis is more strict (although it contradicts a relaxed behavior somewhat).

Embed bug pattern description into report

When a report is generated, it will show a summary of all of the found spotbugs issues. Each spotbugs issue provides a link to the spotbugs pattern description site. This works fine if the pattern comes from the core set of spotbugs patterns. But when the bug comes from another plugin, such as fb-contrib, then the link is fairly useless.

I propose embedding the relevant descriptions to the pattern to the report itself and then linking to those descriptions.

It appears that a spotbugsXml.xml file with all of the relevant descriptions is generated anyway when I build a project, so this (or the mechanism that creates this document) could possibly be leveraged to generate the report.

Maven plugin spot-bugs leads to mvn incompatibilities in other plugins

Hello,

According to spot-bugs maven plugin, Spotbugs is compatible with

<prerequisites>
  <maven>3.0.1</maven>
</prerequisites>

However, it seems the use of maven-core in 3.5.2 leads to incompatibilities in other plugins when run in an older maven version (e.g. mvn 3.2.5 and mvn 3.3.9).

In https://github.com/blasd/spotbugs-maven-plugin/tree/IssueMaven3_3, you will find a sample maven project based on mvn-deploy-plugin 2.8.2 which fails during mvn deploy target (in the sample project, mvn deploy will deploy in a local folder). Reming the spotbugs from <plugins> enables deployment.

To reproduce the issue:

clone the fork,
cd exampleProject
run mvn deploy

It shall fail under mvn 3.3 and 3.2, and certainly previous versions (as prerequisites suggests compatibility up to 3.0)

$ mvn --version
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00)
Maven home: C:\Users\blacelle112212\Downloads\apache-maven-3.3.9
Java version: 1.8.0_152, vendor: Oracle Corporation
Java home: C:\HOMEWARE\Install\jdk-8u152-windows-x64\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

The issue looks like:

[INFO] --- maven-install-plugin:2.4:install (default-install) @ sampleProject ---
ve[WARNING] Error injecting: org.apache.maven.artifact.installer.DefaultArtifactInstaller
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Error injecting: private org.eclipse.aether.spi.log.Logger org.apache.maven.repository.internal.DefaultVersionRangeResolver.logger
  while locating org.apache.maven.repository.internal.DefaultVersionRangeResolver
  while locating java.lang.Object annotated with *
  at org.eclipse.sisu.wire.LocatorWiring
  while locating org.eclipse.aether.impl.VersionRangeResolver
    for parameter 2 at org.eclipse.aether.internal.impl.DefaultDependencyCollector.<init>(Unknown Source)
  while locating org.eclipse.aether.internal.impl.DefaultDependencyCollector
  while locating java.lang.Object annotated with *
  at org.eclipse.sisu.wire.LocatorWiring
  while locating org.eclipse.aether.impl.DependencyCollector
    for parameter 5 at org.eclipse.aether.internal.impl.DefaultRepositorySystem.<init>(Unknown Source)
  while locating org.eclipse.aether.internal.impl.DefaultRepositorySystem
  while locating java.lang.Object annotated with *
  while locating org.apache.maven.artifact.installer.DefaultArtifactInstaller
Caused by: java.lang.IllegalArgumentException: Can not set org.eclipse.aether.spi.log.Logger field org.apache.maven.repository.internal.DefaultVersionRangeResolver.logger to org.eclipse.aether.internal.impl.slf4j.Slf4jLoggerFactory
        at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
        at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
        at sun.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
        at java.lang.reflect.Field.set(Field.java:764)
        at org.eclipse.sisu.bean.BeanPropertyField.set(BeanPropertyField.java:72)
        at org.eclipse.sisu.plexus.ProvidedPropertyBinding.injectProperty(ProvidedPropertyBinding.java:48)
        at org.eclipse.sisu.bean.BeanInjector.injectMembers(BeanInjector.java:52)
        at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:140)
        at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
        at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
        at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
        at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
        at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
        at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
        at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
        at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
        at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
        at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
        at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
        at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
        at org.eclipse.sisu.inject.Guice4$1.get(Guice4.java:162)

Given the stack, it appears the issue may also appear in the install plugin (maven-install-plugin:2.4), in my original project, the issue is with mvn deploy plugin 2.8.2

upgrade to 3.1.6 from 3.1.5 result in stacktrace in maven build output

all details are at checkstyle/checkstyle#6098

I not sure if spotbugs is working well, but build is not failing.

FYI: I am not sure that I make case like required at https://github.com/spotbugs/spotbugs/blob/release-3.1/.github/CONTRIBUTING.md , but issue is not obvious I could try.

Tag / source missing for 3.1.9

The maven site for this plugin and maven central say the latest version is 3.1.9, but there are no changes here after the 3.1.8 tag. This is still the correct repo according to: https://spotbugs.github.io/spotbugs-maven-plugin/scm.html Where can I find source code for 3.1.9?

Illegal reflective access groovy 2.5.6

Running spotbugs:gui but also running spotbugs:check results in the following, on a JDK 11 build:

1278 [INFO] --- spotbugs-maven-plugin:3.1.10:gui (default-cli) @ gt-main ---
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/home/aaime/.m2/repository/org/codehaus/groovy/groovy/2.5.4/groovy-2.5.4.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Maven central has v3.1.1, but source has 3.1.1-SNAPSHOT

It seems there is a confusion in this plugins version number.

pom.xml has 3.1.1-SNAPSHOT version as below.

<version>3.1.1-SNAPSHOT</version>

Maven central has 3.1.1 release.

<dependency>
    <groupId>com.github.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.1.1</version>
</dependency>

Maven command (groupId, artifactId, etc.)

The README state a command that doesn't work unless special alias are created.
mvn com.github.spotbugs:spotbugs-maven-plugin:3.1.0-SNAPSHOT:gui

Based on the maven repository link .. I found this instance of the plugin which work..
mvn com.github.hazendaz.spotbugs:spotbugs-maven-plugin:3.1.0-RC4:findbugs

This is much longer than the previous mvn findbugs:findbugs

Spotbugs 3.1.9 - No SLF4J providers were found

Running spotbugs:check with spotbugs 3.1.9 causes an SLF4J error to be printed:

[INFO] --- spotbugs-maven-plugin:3.1.9:spotbugs (spotbugs) @ <project> ---
[INFO] Fork Value is true
     [java] SLF4J: No SLF4J providers were found.
     [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
     [java] SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details.
     [java] Warnings generated: 10
[INFO] Done SpotBugs Analysis....

It appears all the same messages are otherwise still printed, so this seems to just be an annoyance.

Overriding the plugin's dependency on spotbugs to 3.1.8, or adding a dependency to the plugin on org.slf4j:slf4j-simple works around the problem.

Support for classifier configuration of Plugin artifact

I need to bundle dependencies with a SpotBugs plugin. The easiest way to publish this plugin is releasing the normal jar and a jar with all the needed dependencies.

My small obstacle is that I can't configure a classifier in the PluginArtifact XML section.

spotbugs-maven-plugin/src/main/groovy/org/codehaus/mojo/spotbugs/SpotBugsMojo.groovy

Lines 1179 to 1183 in 263bbd0

 class PluginArtifact { 

 String groupId, artifactId, version 

 String type = "jar" 

 }

Maybe I'm missing something regarding Plugin Artifact dependencies and the all-in-one jar is not necessary.

Release 3.1.7

Spotbugs 3.1.7 is out with fix for Java 11. A new release of the Maven plug-in providing
spotbugs/spotbugs#711 would be good.

Report generation only works after compiling the sources

Today I faced a problem generating my site.
I'm on a project where I do not compile the source files but only execute mvn site to generate the site (A Spotbugs Example Project).
Therefore I only run mvn site but then the report is not generated.
I had to run at least mvn compile site to get the report generated.
This should at least be documented for the plugin that the compiled classes are needed to create the report.

[readme] Opening Issues against spotbugs or findbugs plugin

This plugin is a continuation of findbugs-maven-plugin. We are by default keeping the master in sync with findbugs-maven-plugin at the current time. When opening bugs, please consider if the issue is with the original plugin which has it's own bug tracking here or with spotbugs changes. Every attempt will be made to perform bug fixes against the original plugin as there are known issues yet to be overcome there. Fixes against the original plugin will be merged into this project.

Java 9 Illegal reflective access groovy 2.4.13

[INFO] --- spotbugs-maven-plugin:3.1.1:spotbugs (spotbugs) @ project --- WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/home/hheg/.m2/repository/org/codehaus/groovy/groovy/2.4.13/groovy-2.4.13.jar) to method java.lang.Object.finalize() WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release [INFO] [INFO] <<< spotbugs-maven-plugin:3.1.1:check (default) < :spotbugs @ project <<< [INFO]

The project is a parent and of a pom type.

This error is probably related to https://issues.apache.org/jira/browse/GROOVY-8339

From spotbugs/spotbugs#598

added property maxAllowedViolations.

hi I have raised a pull request to findbug maven plugin to add maxAllowedViolations configuration property - pull-request-link-here . Since findbug is no longer maintained, Can I raise the same change request to spotbug since it's maintained.
Property maintained is similar to checkstype property to ignore the number of violations. Use Case arrived when we have multiple teams working on it and we couldn't have everything fixed in one release so we decided to keep the old ones and no introduce the new ones till we plan the fix release for the older violations. Let me know so that i can re-raise the request here. I believe it might be a useful option to have. it can also partially solve.

Links to spotbugs website broken

In https://spotbugs.github.io/spotbugs-maven-plugin/ there is still links to the no longer existing website at SourceForge. Those should be fixed to point to the new location at github.
Source: https://github.com/spotbugs/spotbugs-maven-plugin/blob/spotbugs/src/site/apt/index.apt.vm

Support the Maven Toolchains Plugin

Spotbugs has a dependency on JDK 1.8. It's also not good to use JDK 1.8 as your primary JDK as it's showing it's age.

Fortunately, Maven has a plugin called the toolchains plugin which allows a different JDK to be used to run a plugin than the JDK that maven is running in. The user could be running maven in JDK 10, but then SpotBugs could be ran using a JDK 1.8 installation.

https://cwiki.apache.org//confluence/display/MAVENOLD/Toolchains

MFINDBUGS-145/pom.xml fails on jdk 11

This is for some really old issue and probably unnecessary. Putting this here for tracking purposes until I determine what we need to do with that test.

Release 3.1?

Spotbugs 3.1 has been released, but this plugin is still in RC status. Any timeline on publishing to maven?

Generate HTML Report with Findbugs

I am pretty sure that with findbugs it was possible to generate html reports during a maven build.
Is there a way to generate a more human readable output during the build?

jdk9 builds fail on travis

It works fine locally so not sure what the issue is. I have been using java 9 since 9/30 to perform all my builds. If I ask travis to run jdk9, the plugin fails for the following issue. Seems like that '0' on version number is key and we probably should replace cobertura anyways. Not sure if jacoco handles better but historically it's had more support and been better for unit tests.

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.6:site (default-site) on project spotbugs-maven-plugin: failed to get report for org.codehaus.mojo:cobertura-maven-plugin: Plugin org.codehaus.mojo:cobertura-maven-plugin:2.6 or one of its dependencies could not be resolved: Could not find artifact com.sun:tools:jar:0 at specified path /usr/lib/jvm/java-9-oracle/../lib/tools.jar -> [Help 1]

Speed up integration tests

Run integration tests multi threaded if possible as they are close to limit of travis cut off point (used to be 50 minutes and I'm sure it still is). The integration tests take around 45 minutes to run. We need quicker feedback of things working. Tests are separate so using -T 2C or similar will probably help out quite a bit but needs tested.

	class PluginArtifact {
	String groupId, artifactId, version

	String type = "jar"
	}

spotbugs / spotbugs-maven-plugin Goto Github PK

spotbugs-maven-plugin's Introduction

Build

Using SpotBugs

Questions?

spotbugs-maven-plugin's People

Contributors

Stargazers

Watchers

Forkers

spotbugs-maven-plugin's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs