Spotbugs maven plugin - handling of JSP files

[edrdo]

I have a Maven project that makes use of JSP and am unable to see the original JSP code in the Spotbugs GUI, only the generated sources. My project has a pedagogical nature and involves the use of Java Vulnerable Lab and FindSecBugs. It can be found at https://github.com/edrdo/JavaVulnerableLab.

Using mvn package spotbugs:spotbugs spotbugs:gui I can see the bugs in the Java generated source but not the original JSP. I believe this should is possible, the plugin does scan smap files for that purpose, right?

I haven't found a maven plugin option that lets me specify the source path of JSP files. Can anyone point me to an example?

[edrdo]

@h3xstream Regarding this issue, I noticed the discussion at https://github.com/spotbugs/sonar-findbugs/issues/187

It seems it should be possible to see JSP source code instead of the Java generated code in the SpotBugs GUI, right? Thanks in advance.

[h3xstream]

Yes It's possible.

The normal SpotBugs process goes as follow:

• Compile Java to class
• Run spotbugs
• Use a gui that looks at spotbugs report.

The main difference with JSP is that you need a step that compile JSP to class. This can be add to your build system: https://github.com/find-sec-bugs/find-sec-bugs-demos/blob/master/java-web-jsp/pom.xml#L83-L234 The other critical element is the support for JSP in the GUI. The GUI need to map the class name to the original JSP files.

The easiest way to setup and share the result is with SonarQube (or very soon Jenkins).

• mvn clean install -P jetty936Jsp : Java compile and JSP compilation (assume that the maven pom was edited to include https://github.com/find-sec-bugs/find-sec-bugs-demos/blob/master/java-web-jsp/pom.xml#L134 )
• mvn spotbugs:spotbugs : Generating the report
• mvn sonar:sonar : Export the result to sonar

Those maven goals were separate but, they can be put together: mvn clean install spotbugs:spotbugs sonar:sonar -P jetty936Jsp.

[h3xstream]

sonar:sonar can probably be replace by spotbugs:gui.

[edrdo]

@h3xstream Thanks, I'll look into your links in more detail. But at first look, it's pretty similar to what I'm doing, i.e. I use jetty-jspc-maven-plugin to generate the JSP sources and smap files, etc. I'm using spotbugs-gui that perhaps gets misconfigured with the path location for source files (there seems to be no way to specify additional source file dirs w/the spotbugs maven plugin.

[h3xstream]

Spotbugs GUI might not support JSP mapping.