Using findsecbugs plugin along with Maven plugin doesn't work when specifying maxRank

[jacktwilliams]

Hello, the spotbugs-maven-plugin is working, but adding the FindSecBugs plugin is having no effect. Here is my pom file ``

com.github.spotbugs spotbugs-maven-plugin 3.1.12.2 spotbugs compile spotbugs 9 Low ${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml ${platform.root}/conf/StaticAnalysis/spotbugs-include.xml /home/jack/ProgramFiles/findsecbugs-plugin-1.9.0.jar `` The commented tree is another approach of adding the plugin I tried, to the same effect. Using both approaches, I have examined the debugging output which seems to show that the plugin is being added successfully. This is a multi-module project, and the findsecbugs.jar is being added to the target directories of each submodule. Now, adding the findsecbugs plugin in Eclipse does result in 6 security bugs found (that aren't being found with Maven.) Here is the Eclipse plugin version: 4.0.0.201904010749-792e955 I have tried using no filter files. Eclipse and the Maven plugin are pointed to the exact same filter files that include everything, but exclude Internationalization and Experimental. The only other interesting thing about Eclipse... Even with the filter files, I have to select these "Security" and "Malicious Code Vulnerability" checkboxes to see the additional bugs.  Lastly, when I look in the GUI, it shows that there are no configured plugins. Maven version 3.6.0 Thank you.

[jacktwilliams]

So, I tried this: mvn com.github.spotbugs:spotbugs-maven-plugin:spotbugs -Dplugin=com.h3xstream.findsecbugs:findsecbugs-plugin -DincludeFilterFile="../conf/StaticAnalysis/spotbugs-include.xml" -DexcludeFilterFile="../conf/StaticAnalysis/spotbugs-exclude.xml" And the findsecbugs plugin starts working. But if I add "-DmaxRank=9" then the plugin stops working.

[jacktwilliams]

Doing this stripped down plugin specification with no executions `

com.github.spotbugs spotbugs-maven-plugin 3.1.12.2 ${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml ${platform.root}/conf/StaticAnalysis/spotbugs-include.xml /home/jack/ProgramFiles/findsecbugs-plugin-1.9.0.jar

And then calling the plugin manually, I get the following output, that I don't get in the previous comment's attempt. [INFO] --- spotbugs-maven-plugin:3.1.12.2:spotbugs (default-cli) @ CoreTC --- [INFO] Fork Value is true [java] The following classes needed for analysis were missing: [java] accept [java] run [java] apply [java] Warnings generated: 54 [java] Missing classes: 3`

[hazendaz]

@jacktwilliams See the integration tests, there are examples of the plugin usage. I personally have used this for a long time and it works fine. Do make sure not to use 'LATEST' but an explicit version number as 'LATEST' is bad practice and deprecated from maven usage.

[jacktwilliams]

Thanks for the tip about 'LATEST', I pulled that from the findsecbugs documentation. However, I found the bug that is unrelated.

This pom works to generate the findsecbugs errors, but adding 'maxRank' in the config breaks the findsecbugs functionality and no security bugs are found.

`

com.github.spotbugs

<artifactId>spotbugs-maven-plugin</artifactId>
<version>3.1.12</version>
<executions>
  <execution>
    <id>spotbugs</id>
    <phase>compile</phase>
    <goals>
      <goal>spotbugs</goal>
    </goals>
    <configuration>
      <excludeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml</excludeFilterFile>
      <!-- find-sec-bugs plugin -->
      <plugins>
    <plugin>
      <groupId>com.h3xstream.findsecbugs</groupId>
      <artifactId>findsecbugs-plugin</artifactId>
      <version>1.9.0</version>
    </plugin>
          </plugins>
    </configuration>
  </execution>
</executions>
  </plugin>`

You can also use the CLI examples given above to see how adding maxRank breaks the findsecbugs plugin functionality.

[h3xstream]

@hazendaz Oups. I did not know LATEST was deprecated. I will update the example to use open-ended version range. <version>[1.9.0)</version>