Please download latest snapshots from here
Java 11+ is required to build the project. Java 8+ is required for spotbugs analysis.
Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer
See site page for usage
Continue to use 'FindBugsFilter' when needed as the spotbugs project has not yet renamed that to reflect project.
The SpotBugs documentation describes the pom.xml modifications and Maven goals.
Run all tests
mvn -DtestSrc=remote -Prun-its clean install -D"invoker.parallelThreads=8"
Skip tests
mvn -DskipTests=true clean install
Run tests on spotbugs test source code that is local instead of from SpotBugs github repository
mvn -DtestSrc=local -DlocalTestSrc=/opt/spotBugs -Prun-its clean install -D"invoker.parallelThreads=8"
Run selected tests
mvn -DtestSrc=remote -Prun-its -Dinvoker.test=build-*,basic-1,check-nofail clean install -D"invoker.parallelThreads=8"
Run tests in debugger
mvn -Dmaven.surefire.debug="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 -Xnoagent -Djava.compiler=NONE" -Prun-its clean install
Run selected tests in debugger
mvn -Dmaven.surefire.debug="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 -Xnoagent -Djava.compiler=NONE" -Prun-its -Dinvoker.test=build-*,basic-1,check clean install
Run gui with a specific version
mvn com.github.spotbugs:spotbugs-maven-plugin:4.8.6.2:gui
mvn -DtestSrc=remote -Prun-its clean install -D"invoker.parallelThreads=8"
Then replace current src/site/resources entirely with any working example 'site' folder from there (Currently uses basic-1). Also top files top level of the basic site folder 'spotbugs.xml' and 'spotbugsXml.xml'.
Run integration tests
mvn clean install -P run-its -DtestSrc=remote
This plugin is written entirey in groovy. It does have limitations when it comes to groovy in relation to java releases. Every attempt is made to ensure fast releases to pick up groovy changes related to java.
Known issues
The security manager is turned off by default in jdk 18 and scheduled from removal in a future java release, therefore to use this plugin with jdk 18+, the security manager may need turned back on using JAVA_OPTS
to -Djava.security.manager=allow
. See groovy for more details.
If using groovy with same group id (org.codehaus.groovy 3.x
or before or org.apache.groovy 4.x or above
), an error may occur if not on same version. To alleviate that, make sure groovy artifacts are defined in dependency management
in order to force the loaded version correctly on your usage.
The plugin cycles controlled by Eclipse require compilation phase for m2e without further help. This plugin runs verify and during site generation. Therefore Eclipse m2e will show up but not do anything with this plugin alone. In order to have proper execution within Ecipse m2e, use m2e-code-quality plugin for spotbugs.
Is there some way to set the Analysis Properties when using the maven plugin?
Analysis properties are passed as Java system properties, so they can be set in the
E.g. to set the findbugs.assertionmethods analyzer property:
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<configuration>
<jvmArgs>-Dfindbugs.assertionmethods=org.apache.commons.lang3.Validate.notNull</jvmArgs>
</configuration?
</plugin>