Skip to content

SpotBugs

Info

SpotBugs is a successor project to deprecated FindBugs project. Migration guide. If you were using custom findbugs config before then rename it's folder to spotbugs.

Warning

In contrast to other plugins, spotbugs plugin is not bundled with gradle, but quality plugin will bring it as a dependency (v 1.6.1) and activate automatically. To use newer spotbugs plugin version simply enable plugin manually (in plugins section).

By default, plugin is activated if java sources available (src/main/java).

SpotBugs configuration differ from other tools (checkstyle, pmd): instead of exact rules configuration it uses efforts level. Deeper level could reveal more bugs, but with higher mistake possibility. Default settings (max effort and medium level) are perfect for most cases. Some checks were disabled in the default filter file

Note

Special xsl file used for manual html report generation because spotbugs plugin could generate either xml or html report and not both.

Output

2 (0 / 2 / 0) SpotBugs violations were found in 2 files

[Performance | URF_UNREAD_FIELD] sample.(Sample.java:8) [priority 2]
    >> Unread field: sample.Sample.sample
  This field is never read. Consider removing it from the class.

...  

Counts in braces show priorities (p1/p2/p3).

Note

There is no link to spotbugs site (like other tools), because report already contains everything from there.

Config

Tool config options with defaults:

quality {
    spotbugsVersion = '3.1.6'
    spotbugs = true // false to disable automatic plugin activation
    spotbugsEffort = 'max'  // min, less, more or max
    spotbugsLevel = 'medium' // low, medium, high
}

Suppress

To suppress violations you can use filter file. In this case you need to override default filter file.

Or you can use annotations. SpotBugs use custom annotations and so you need to add com.github.spotbugs:spotbugs-annotations:3.1.2 dependency (with provided scope if possible) and use:

@SuppressFBWarnings("URF_UNREAD_FIELD")

Abstract

Spotbugs can't use default @SuppressWarnings annotation because it's a source annotation and not available in bytecode.

Plugins

You may add additional spotbugs checks by declaring spotbugs plugins in spotbugsPlugins dependency configuration.

Note

Spotbugs is compatible with findbugs plugins.

Warning

As, by default, spotbugs plugin is automatically applied after configuration read, spotbugsPlugins can't be used directly

Either use afterEvaluate:

afterEvaluate {
    dependencies {
        spotbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:7.2.0'
    }
}

Or declare spotbugs plugin manually (it will be configured by quality plugin):

plugins {
    id 'com.github.spotbugs' version '1.6.3'
}
dependencies {
    spotbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:7.2.0'
}

Available plugins

Find Security Bugs

spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1'

fb-contrib: A FindBugs auxiliary detector plugin

spotbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:7.2.0'

Annotations

Use spotbugs-annotations to guide spotbugs nullability checks (@Nonnull and @Nullable). Add com.github.spotbugs:spotbugs-annotations:3.1.2 dependency (with provided scope if possible).

Warning

Before, annotations from Jsr-305 were used (com.google.code.findbugs:jsr305), but now it is dead. Remove jsr-305 jar if it were used and use undeprecated @Nonnull and @Nullable

In some cases you will have to use it. For example, you may face issues with guava functions or predicates:

[NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE] input must be nonnull but is marked as nullable 

The reason for this is that guava use @Nullable annotation, which is @Inherited, so even if you not set annotation on your own function or predicate it will still be visible.

The simplest workaround is to set @Nonnull annotation on your function or predicate:

public boolean apply(@Nonnull final Object input) {

Hint

NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION check was disabled because it does not allow this workaround to work

Abstract

Guava is now using checker framework instead of jsr-305.