从 findbugs-maven-plugin 到 spotbugs-maven-plugin 帮你找到代码中的bug

一、findbugs-maven-plugin

介绍：

Status: Since Findbugs is no longer maintained, please use Spotbugs which has a Maven plugin. It is located at here.

Please Note - This version is using Findbugs 3.0.1.

FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns. A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons:

• Difficult language features
• Misunderstood API methods
• Misunderstood invariants when code is modified during maintenance
• Garden variety mistakes: typos, use of the wrong boolean operator

FindBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns. We have found that FindBugs finds real errors in most Java software. Because its analysis is sometimes imprecise, FindBugs can report false warnings, which are warnings that do not indicate real errors. In practice, the rate of false warnings reported by FindBugs is generally less than 50%.

FindBugs is free software, available under the terms of the Lesser GNU Public License. It is written in Java, and can be run with any virtual machine compatible with Java 7. It can analyze programs written for any version of Java. FindBugs was originally developed by Bill Pugh. It is maintained by Bill Pugh, David Hovemeyer, and a team of volunteers.

FindBugs uses BCEL to analyze Java bytecode. It uses dom4j for XML manipulation.

This introduction is an excerpt from the Facts Sheet at FindBugs home page.

To see more documentation about FindBugs' options, please see the FindBugs Manual.

https://gleclaire.github.io/findbugs-maven-plugin/

 

使用：

Usage version3.0.6-SNAPSHOT/version The following examples describe the basic usage of the FindBugs plugin.

Generate FindBugs Report As Part of the Project Reports

To generate the FindBugs report as part of the Project Reports, add the FindBugs plugin in the <reporting> section of your pom.xml.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Generate FindBugs xdoc Report As Part of the Project Reports

To generate the FindBugs xdoc report as part of the Project Reports, add the FindBugs plugin in the <reporting> section of your pom.xml. This will be the same report as that of the Maven 1 FindBugs report. It is also the format used by Hudson. The output file will be written as findbugs.xml to either the default output directory of ${project.build.directory} or by that started in the <xmlOutputDirectory> option.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <xmlOutput>true</xmlOutput>
          <!-- Optional directory to put findbugs xdoc xml report -->
          <xmlOutputDirectory>target/site</xmlOutputDirectory>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Filter bugs to report

To filter the classes and methods which are analyzed or omitted from analysis you can use filters. The filters allow specifying by class and method which bug categories to include/exclude in/from the reports. The filter format specification also contains useful examples.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <excludeFilterFile>findbugs-exclude.xml</excludeFilterFile>
          <includeFilterFile>findbugs-include.xml</includeFilterFile>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug filters to run

To filter the classes and methods which are analyzed or omitted from analysis you can use filters. The filters allow specifying by class and method which bug categories to include/exclude in/from the reports. The filter format specification also contains useful examples.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <excludeFilterFile>findbugs-exclude.xml</excludeFilterFile>
          <includeFilterFile>findbugs-include.xml</includeFilterFile>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug detectors to run

The visitors option specifies a comma-separated list of bug detectors which should be run. The bug detectors are specified by their class names, without any package qualification. By default, all detectors which are not disabled are run.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <visitors>FindDeadLocalStores,UnreadFields</visitors>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug detectors to skip

The omitVisitors option is like the visitors attribute, except it specifies detectors which will not be run.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <omitVisitors>FindDeadLocalStores,UnreadFields</omitVisitors>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which classes to analyze

The onlyAnalyze option restricts analysis to the given comma-separated list of classes and packages.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
         <onlyAnalyze>org.codehaus.mojo.findbugs.*</onlyAnalyze>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Using Third party or your own detectors

The pluginList option specifies a comma-separated list of optional BugDetector Jar files to add.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <pluginList>myDetectors.jar, yourDetectors.jar</pluginList>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Using Detectors from a Repository

The plugins option defines a collection of PluginArtifact to work on. (PluginArtifact contains groupId, artifactId, version, type.)

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <plugins>
            <plugin>
              <groupId>com.timgroup</groupId>
              <artifactId>findbugs4jmock</artifactId>
              <version>0.2</version>
            </plugin>
          </plugins>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Launch the Findbugs GUI

This will launch the FindBugs GUI configured for this project and will open the findbugsXml.xml file if present. It therefore assumes a pom.xml with the minimum as follows.

<project>
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>findbugs-maven-plugin</artifactId>
        <version>3.0.6-SNAPSHOT</version>
        <configuration>
          <!-- Optional directory to put findbugs xml report -->
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the findbugs plugin with the gui option.

mvn findbugs:gui

二、SpotBugs Maven Plugin

Introduction

SpotBugs is a program to find bugs in Java programs. It looks for instances of “bug patterns” — code instances that are likely to be errors.

This document describes version 4.0.3 of SpotBugs. We are very interested in getting your feedback on SpotBugs. Please visit the SpotBugs web page for the latest information on SpotBugs, contact information, and support resources such as information about the SpotBugs GitHub organization.

Requirements

To use SpotBugs, you need a runtime environment compatible with Java version 1.8 or later. SpotBugs is platform independent, and is known to run on GNU/Linux, Windows, and MacOS X platforms.

You should have at least 512 MB of memory to use SpotBugs. To analyze very large projects, more memory may be needed.

Supported Java version

SpotBugs is built by JDK8, and run on JRE8 and newer versions.

SpotBugs can scan bytecode (class files) generated by JDK8 and newer versions. However, support for Java 11 and newer is still experimental. Visit issue tracker to find known problems.

SpotBugs does not support bytecode (class files) generated by outdated JDK such as 10, 9, 7 and older versions.

• Introduction
• Requirements
• Installing
• Running SpotBugs
• Using the SpotBugs GUI
• Using the SpotBugs Eclipse plugin
• Using the SpotBugs Ant task
• Using the SpotBugs Maven Plugin
  • Add spotbugs-maven-plugin to your pom.xml
  • Goals of spotbugs-maven-plugin
• Using the SpotBugs Gradle Plugin
• Filter file
• Analysis Properties
• Effort
• Implement SpotBugs plugin
• Use SpotBugs Plugin on SonarQube
• SpotBugs FAQ
• SpotBugs Links
• Bug descriptions
• Guide for migration from SpotBugs 3.1 to 4.0
• Guide for migration from FindBugs 3.0 to SpotBugs 3.1
• Annotations

Reach over 7 million devs each month when you advertise with Read the Docs.

Sponsored · Ads served ethically

• Docs »
• Using the SpotBugs Maven Plugin
• Edit on GitHub

---

Using the SpotBugs Maven Plugin

This chapter describes how to integrate SpotBugs into a Maven project.

Add spotbugs-maven-plugin to your pom.xml

Add <plugin> into your pom.xml like below:

<plugin>
  <groupId>com.github.spotbugs</groupId>
  <artifactId>spotbugs-maven-plugin</artifactId>
  <version>4.0.0</version>
  <dependencies>
    <!-- overwrite dependency on spotbugs if you want to specify the version of spotbugs -->
    <dependency>
      <groupId>com.github.spotbugs</groupId>
      <artifactId>spotbugs</artifactId>
      <version>4.0.3</version>
    </dependency>
  </dependencies>
</plugin>

Goals of spotbugs-maven-plugin

spotbugs goal

三、附加订阅