Skip to content



FindBugs support is deprecated, because project is abandoned. Use SpotBugs successor project instead. By default, quality plugin will activate SpotBugs and not findbugs.


If you were using custom configs then rename findbugs folder to spotbugs. If plugins were used then change findbugsPlugins to spotbugsPlugins. Migration guide


If you want to continue using FindBugs instead of SpotBugs then simply disable spotbugs: quality.spotbugs = false. This will force automatic findbugs activation, as before. If findbugs plugin is enabled manually (in plugins section) then spotbugs will not be activated automatically and findbugs will be configured. FindBugs support is marked as deprecated, but it will not be removed soon.

By default, plugin is activated if java sources available (src/main/java) and spotbugs plugin disabled (or findbugs plugin enabled manually).

Findbugs configuration differ from other tools (checkstyle, pmd): instead of exact rules configuration it uses efforts level. Deeper level could reveal more bugs, but with higher mistake possibility. Default settings ('max' effort and 'medium' level) are perfect for most cases.


Special xsl file used for manual html report generation because findbugs plugin could generate either xml or html report and not both.


2 (0 / 2 / 0) FindBugs violations were found in 2 files

[Performance | URF_UNREAD_FIELD] sample.( [priority 2]
    >> Unread field: sample.Sample.sample
  This field is never read. Consider removing it from the class.


Counts in braces show priorities (p1/p2/p3).


There is no link to findbugs site (like other tools), because report already contains everything from there.


Tool config options with defaults:

quality {
    findbugsVersion = '3.0.1'
    findbugs = true // false to disable automatic plugin activation
    findbugsEffort = 'max'  // min, default or max
    findbugsLevel = 'medium' // low, medium, high


To suppress violations you can use filter file. In this case you need to override default filter file.

Or you can use annotations. FindBugs use custom annotations and so you need to add dependency (with provided scope if possible) and use:



You may add additional findbugs checks by declaring findbugs plugins in findbugsPlugins dependency configuration.


As, by default, findbugs plugin is automatically applied after configuration read, findbugsPlugins can't be used directly

Either use afterEvaluate:

afterEvaluate {
    dependencies {
        findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.4.1'

Or declare findbugs plugin manually (it will be configured by quality plugin):

plugins {
    id 'findbugs'
dependencies {
    findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.4.1'

Available plugins

Find Security Bugs

findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4'

fb-contrib: A FindBugs auxiliary detector plugin

findbugsPlugins 'com.mebigfatguy.fb-contrib:fb-contrib:6.6.0'


You may use jsr305 annotations to guide findbugs. Add dependency (with provided scope if possible).

In some cases you will have to use it. For example, you may face issues with guava functions or predicates:

[NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE] input must be nonnull but is marked as nullable 

The reason for this is that guava use @Nullable annotation, which is @Inherited, so even if you not set annotation on your own function or predicate it will still be visible.

The simplest workaround is to set @Nonnull annotation (jsr305) on your function or predicate:

public boolean apply(@Nonnull final Object input) {