search

sbt / sbt-findbugs

FindBugs static analysis plugin for sbt.
Eclipse Public License 1.0
46 stars 13 forks source link

Customise findbugs rules for Scala -- reduce false positives, add scala specific rules #4

Open RichardBradley opened 10 years ago

RichardBradley commented 10 years ago

Is there any work underway to customise the findbugs rules for Scala?

I've installed findbugs4sbt but the core findbugs rules produce lots of false positives around class & method naming conventions that are caused by Scala.

I can't be the first person to notice this -- surely all other users of findbugs4sbt must have the same problems?

Is there a project that has a ruleset for findbugs which is customised to work well with Scala? (Both by removing/fixing rules which give false positives in Scala and also by adding new Scala specific rules.)

If so, I would think that we should add it to the README, as it seems likely to be a FAQ.

If not, perhaps we should start one? Would that be considered out of scope for findbugs4sbt itself?

josephearl commented 8 years ago

FindBugs is not designed to analyse Scala code, I'd suggest you use something like https://github.com/scalastyle/scalastyle on your Scala code, and only run FindBugs on your Java code.

RichardBradley commented 8 years ago

I'd suggest you use something like scalastyle on your Scala code, and only run FindBugs on your Java code.

Scalastyle is a regex based rule engine; it's not really comparable to FindBugs. It's closer to a source code formatter. A closer equivalent is scapegoat.

There is some discussion on https://github.com/sksamuel/scalac-scapegoat-plugin/issues/38 about Findbugs v.s. Scapegoat. I believe that there may be some useful knowledge about the Java standard libraries in Findbugs which may be applicable to Scala programs, but many of the rules are inapplicable, you are right.

If the general conclusion is that Findbugs is completely inapplicable to Scala, then findbugs4sbt should run only on Java sources -- currently it does try to run Findbugs on bytecode from Scala sources.

josephearl commented 8 years ago

I wouldn't say scalastyle is regex - it parses the Scala AST and applies rules to that. But it doesn't really do any static analysis, you're right.

This StackOverflow post also has some alternates: http://stackoverflow.com/questions/22617713/whats-the-current-state-of-static-analysis-tools-for-scala

If the general conclusion is that Findbugs is completely inapplicable to Scala, then findbugs4sbt should run only on Java sources -- currently it does try to run Findbugs on bytecode from Scala sources.

Personally I think it is and would vote to change it, although I can't speak for the project maintainers

FindBugs works "out of the box" for Java, and the rules it has detect issues with commonly written Java code.

This isn't the case for Scala, and I would argue the changes to support it are out of the scope of this project. Scala support should be added to the main FindBugs tool (or an extension of it) so that things like running it directly from the command line work, not in an SBT plugin.