Spotbugs XML output format

[bugh1]

Is there a documentation or article or any other information regarding the meaning of the XML tags in the XML output? Specifically the meaning of the order and nesting of the XML tags within a BugInstance?

[jwgmeligmeyling]

I don't believe so, but the format is compatible with the format that was originally returned by Findbugs.

I've once created annotated classes for reading the outputted XML with the Jackson XML mapper. It should be relatively easy to convert this to any other parser or just use it to get the gist of the file structure: https://github.com/devhub-tud/devhub/blob/master/src/main/java/nl/tudelft/ewi/devhub/server/backend/warnings/FindBugsWarningGenerator.java#L33-L103

[uhafner]

What are you trying to achieve? A new parser that reads the XML?

[bugh1]

What are you trying to achieve? A new parser that reads the XML?

We are trying to translate the spotbugs XML output into a common inter-operable format, SCARF (https://github.com/mirswamp/swamp-scarf-io/blob/master/docs/SCARF.pdf) for the SWAMP project (https://continuousassurance.org/) and SARIF (https://github.com/oasis-tcs/sarif-spec) and it is not immediately obvious how to represent the multiple locations given in the spotbugs output into the code flows in these formats. Any help you could offer to make this the best translation we can would be appreciated.

[uhafner]

Ah, I see. You are building something similar to my analysis-model library that I am using in my Jenkins Warnings Plugin to visualize FindBugs and SpotBugs results. I also tried to write a new parser by reverse engineering the complex structure... I finally ended up using the XML reader provided by the Findbugs library. It works quite well, however be aware that you need to link the whole Findbugs sources, since all classes from several modules (UI, analysis, IO) are distributed as one fat jar.

If you are not interested in multiple locations for each warning, you can also have a look at the violations-lib. It contains a parser that extracts the warnings with the first primary location of the warning.

[KengoTODA]

I'll close this inactive issue. Please repost a new one if necessary.