For SpotBugs to work correctly, Java version 8 or higher must be used. |
- Ant
- Maven
- gradle
- Eclipse
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.2.2</version>
<dependencies>
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs</artifactId>
<version>4.2.0</version>
</dependency>
</dependencies>
</plugin>
Also in the plugins section add:
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.8</version>
</plugin>
Basic SpotBugs Commands
Well, now let's look at the main commands for SpotBugs, called either through the Maven console: (to call the console, you need to press the m icon ), Or through the idea terminal:1. mvn spotbugs:help
Displays help information for the SpotBugs command line user interface . Call result example: As we can see, if you run the command: mvn spotbugs:help -Ddetail=true -Dgoal=<goal-name>, you can learn more about the target settings. Or run: mvn spotbugs:help -Ddetail=true and learn more about all four targets. For example, I ran mvn spotbugs:help -Ddetail=true -Dgoal=help and got the following description:2. mvn spotbugs:check
This command starts the analysis and reports a failed build if it finds any bugs from the spotbugs spectrum . An example of the result of running the command: Here we see how spotbugs swears at all the found flaws in the application (on the found bad code).3. mvn spotbugs:spotbugs
This command analyzes the target project using SpotBugs. Without running this command, the command to display the results will actually be useless, because. it does the analysis itself. After running this command, the spotbugsXml.xml file is created , in which the analysis results are stored for further display. It should also be noted that running the mvn spotbugs:spotbugs command by itself will not give anything: first you need to run the standard command for compiling the project mvn clean compile , and only after it - the command for analyzing the project. The previous command, mvn spotbugs:check , also parses and creates the spotbugsXml.xml file , but unlike mvn spotbugs:spotbugsit also shows the result of the analysis on the bottom panel. To analyze in this way, you also first need to run mvn clean compile , and only then - mvn spotbugs:check .4. mvn spotbugs:gui
This command is perhaps the most interesting: it launches the SpotBugs GUI to check the results of the analysis, in which you can see in detail what flaws are in your code and where they are located. But, as I mentioned above, for the correct processing of this command, the spotbugsXml.xml file is needed in the target folder , which is created after the manipulations described above. When running this command, we get the following graphical display: Here you can set up filtering by class name, group by category of bad code, and so on. Possible flaws are divided into types, which in turn are divided into specific detailed error patterns (400+).Error types
Let's take a closer look at the possible types of errors:-
bad practices
Violations of recommended coding practice.
-
Correctness
An alleged code error that causes the code to not match the developer's intent. Helps to achieve a low level of false positives.
-
Experimental
This archetype describes experimental and not fully tested error patterns (reports with this type of error should be trusted with great care).
-
internationalization
The type describes code flaws related to internationalization and localization.
-
Malicious code vulnerability
This type indicates that your code is vulnerable to attacks from untrusted code.
-
multithreaded correctness
The type describes code flaws related to threads, locks.
-
Bogus random noise
This type is intended to be used as a control in data mining experiments, not to find real software bugs.
-
Performance
The archetype says that your code is not necessarily wrong, but it may be inefficient and needs some optimization.
-
security
You are probably using untrusted input functionality that may have vulnerabilities, security holes that can be used remotely.
-
Dodgy code
This type includes code that is misleading, anomalous, or written in a way that causes errors.
GO TO FULL VERSION