FindBugs

Java | Home | Plugin

By default, plugin is activated if java sources available (src/main/java).

Findbugs configuration differ from other tools (checkstyle, pmd): instead of exact rules configuration it uses efforts level. Deeper level could reveal more bugs, but with higher mistake possibility. Default settings ('max' effort and 'medium' level) are perfect for most cases.

Note

Special xsl file used for manual html report generation because findbugs plugin could generate either xml or html report and not both.

Output

2 (0 / 2 / 0) FindBugs violations were found in 2 files

[Performance | URF_UNREAD_FIELD] sample.(Sample.java:8) [priority 2]
    >> Unread field: sample.Sample.sample
  This field is never read. Consider removing it from the class.

...

Counts in braces show priorities (p1/p2/p3).

Note

There is no link to findbugs site (like other tools), because report already contains everything from there.

Config

Tool config options with defaults:

quality {
    findbugsVersion = '3.0.1'
    findbugs = true // false to disable automatic plugin activation
    findbugsEffort = 'max'  // min, default or max
    findbugsLevel = 'medium' // low, medium, high
}

Suppress

To suppress violations you can use filter file. In this case you need to override default filter file.

Or you can use annotations. FindBugs use custom annotations and so you need to add com.google.code.findbugs:annotations:3.0.0 dependency (with provided scope if possible) and use:

@SuppressFBWarnings("URF_UNREAD_FIELD")

Plugins

You may add additional findbugs checks by declaring findbugs plugins in findbugsPlugins dependency configuration.

Warning

As, by default, findbugs plugin is automatically applied after configuration read, findbugsPlugins can't be used directly

Either use afterEvaluate:

afterEvaluate {
    dependencies {
        findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.4.1'
    }
}

Or declare findbugs plugin manually (it will be configured by quality plugin):

plugins {
    id 'findbugs'
}
dependencies {
    findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.4.1'
}

Available plugins

Find Security Bugs

findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4'

fb-contrib: A FindBugs auxiliary detector plugin

findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.6.0'

Annotations

You may use jsr305 annotations to guide findbugs. Add com.google.code.findbugs:jsr305:3.0.0 dependency (with provided scope if possible).

In some cases you will have to use it. For example, you may face issues with guava functions or predicates:

[NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE] input must be nonnull but is marked as nullable

The reason for this is that guava use @Nullable annotation, which is @Inherited, so even if you not set annotation on your own function or predicate it will still be visible.

The simplest workaround is to set @Nonnull annotation (jsr305) on your function or predicate:

public boolean apply(@Nonnull final Object input) {