Maven Support

[levonk]

Please provide an official maven plugin

[jsotuyod]

@levonk is there any specific reason for which the OSS findbugs-maven-plugin wouldn't work if it used a SpotBugs release instead of FindBugs 3.0.1?

I'm just wondering if this is only concern for Maven integration (which is a priority, just like Gradle and ant) which could be achieved by reaching out to the teams managing those projects, or there is a structural issue with the current Maven plugins that needs a different approach.

[levonk]

No Structural issue, but if a new project were to be created then having the integration plugins as modules to the main project makes the most amount of sense.

Is this project going to continue now that FindBugs is supposedly back on track?

[jsotuyod]

So far Bill has only responded on HN, not on any official FindBugs channel. His response was vague and still wanting on actual plans for the future. The confidence on him as a project leader has been severely damaged, and at this point we have no guarantee that:

1. he is actually coming back
2. that we won't end back in the same spot in a couple months

SpotBugs will continue it's current work until then. If the project was to be shutdown, we would merge back.

[henrik242]

Can this issue be closed? Or should we add an entry for findbugs-maven-plugin usage in the README.md and wait for 3.1.0 to be released to the maven repos first?

[jsotuyod]

I'd probably leave it open until we release to maven central and provide working instructions to use SpotBugs from Maven.

[ThrawnCA]

@levonk If it's any consolation, I'm likely to use SpotBugs with the findbugs-maven-plugin myself, and thus notice if it breaks.

[KengoTODA]

I asked sonatype to help us to deploy our artifacts to Maven central.

• https://issues.sonatype.org/browse/OSSRH-27535
• http://central.sonatype.org/pages/ossrh-guide.html
• http://central.sonatype.org/pages/gradle.html

[jsotuyod]

@KengoTODA great initiative!

We should ask them to grant permissions to a couple more of us, to avoid another FindBugs situation. My username for Sonatype is jsotuyod, please ask them to grant me access.

I know @mebigfatguy also has a user, since he uploads fb-contrib there, but I'm not sure what's his username.

[mebigfatguy]

ah... mebigfatguy

[KengoTODA]

Sure, I've asked them to add:

• https://issues.sonatype.org/browse/OSSRH-27535?focusedCommentId=389547&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-389547

[KengoTODA]

I found this problem when I worked for #111, however this issue should be better place to discuss so I will note about it at here.

I tried to use maven-findbugs-plugin with SpotBugs 3.1.
It is possible by adding <dependency> like the following snippet:

        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>findbugs-maven-plugin</artifactId>
          <version>3.0.4</version>
          <dependencies>
            <dependency>
              <groupId>com.github.spotbugs</groupId>
              <artifactId>spotbugs</artifactId>
              <version>3.1.0-SNAPSHOT</version>
            </dependency>
          </dependencies>
        </plugin>

But this way has a problem: maven plugin still depends on FindBugs 3.0.1, so it has both of FindBugs and SpotBugs. I also confirmed that AuxClasspath includes both of them.

Ideally it should be possible to put <exclusion> like below, but it's not supported by current latest Maven.

        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>findbugs-maven-plugin</artifactId>
          <version>3.0.4</version>
          <dependencies>
            <dependency>
              <groupId>com.github.spotbugs</groupId>
              <artifactId>spotbugs</artifactId>
              <version>3.1.0-SNAPSHOT</version>
            </dependency>
          </dependencies>
          <exclusions>
            <exclusion>
              <groupId>com.google.code.findbugs</groupId>
              <artifactId>findbugs</artifactId>
            </exclusion>
          </exclusions>
        </plugin>

I think we have several options to choose:

1. ask to release findbugs-maven-plugin which depends on SpotBugs instead of FindBugs
2. fork findbugs-maven-plugin to provide spotbugs-maven-plugin from this organization
3. send a patch to Apache Maven to support excluding direct dependency of plugin\
   • currently I cannot estimate for this option
4. guarantee that plugin should work even though it depends on both of SpotBugs and FindBugs
   • this might be hard, we need to consider many cases

I think we can have a try for 1, shall I mention to Mr.gleclaire to ask?

[KengoTODA]

Sorry but I changed my mind.
Now I prefer 2 (fork) than 1 (ask), because SpotBugs should be merge-able to FindBugs when it comes back. If we ask findbugs-maven-plugin to change dependency, it's not easy to release another FindBugs version such as 3.0.2.

I'm not sure we should care this case or not, but fork is more controllable for this organization so it should be not so worth option than 1, I believe.

[PascalSchumacher]

Maven support would be very nice indeed.

The "using spotbugs" section of https://spotbugs.github.io/ actually links to the findbugs maven and gradle plugins. Maybe this should be updated?

[ThrawnCA]

I actually favor option 3, unless we actually need to fix findbugs-maven-plugin in some way. Forking just to declare a different dependency smells of a poor dependency resolution mechanism.

[seanf]

I found a feature request (but not a patch) for option 3: https://issues.apache.org/jira/browse/MNG-6222

See also https://stackoverflow.com/a/43652129/14379

[hazendaz]

While it would be great for maven to make those changes, history dictates that will take a long time. That said, I already have a fork of findbugs maven plugin so I have branched off as spotbugs and have switched plus upgraded the plugin itself (dependencies / internal plugins, etc).

I have already pushed out a snapshot in case anyone wants to try it. I'm otherwise continuing to update pieces of the findbugs plugin to get it fully up-to-date before I cut a release. Most likely this weekend which I'll turn around and immediately use in a number of projects. Then I'll try to get some of that back to the original and maybe even spotbugs down the road. I suspect that will be easier than waiting on maven core to change.

<dependency>
    <groupId>com.github.hazendaz.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.0.5-SNAPSHOT</version>
</dependency>

[mebigfatguy]

nice

[romani]

@hazendaz , is it possible for you to make stable version of your forked plugin ? Without stable version it is hard to start to use your plugin , maven release plugin do not accept dependencies to snapshots. In checkstyle project we plan to use your plugin.

[hazendaz]

@romani I pushed a new snapshot. Can you give it a run and let me know if it is working for you? If so, I'll push the release in next day or so.

[romani]

@hazendaz , please do release version. We tested your snapshot version - it works fine.

[hazendaz]

I'll release later tonight and post back here. Thanks

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Roman Ivanov notifications@github.com Sent: Thursday, June 29, 2017 12:25:03 PM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@hazendazhttps://github.com/hazendaz , please do release version. We tested your snapshot version - it works fine.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-312019482, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7hozJ1111znMm12K-UVHnaYItEL69eks5sI8_egaJpZM4KqpZB.

[hazendaz]

@romani I've pushed the release. It should show in central in next couple of hours.

[anatoliy-balakirev]

Thanks for that! I've tried to integrate it. All works fine, I've got a lot of new issues reported (e.g. potential NPEs in lambdas, etc.). Great to see some progress in findbugs again!

However, when I tried to enable "fb-contrib" plugin, which we used with findbugs (actually, in the same way as we did there) - I started getting following error:

[ERROR] Failed to execute goal com.github.hazendaz.spotbugs:spotbugs-maven-plugin:3.0.5:findbugs (findbugs) on project : Execution findbugs of goal com.github.hazendaz.spotbugs:spotbugs-maven-plugin:3.0.5:findbugs failed: No signature of method: org.apache.maven.shared.artifact.resolve.internal.DefaultArtifactResolver.resolve() is applicable for argument types: (org.apache.maven.artifact.DefaultArtifact, java.util.Collections$UnmodifiableRandomAccessList, org.apache.maven.artifact.repository.MavenArtifactRepository) values: [com.mebigfatguy.fb-contrib:fb-contrib:jar:7.0.2:, [ id: [ERROR] url: [ERROR] layout: default [ERROR] snapshots: [enabled => false, update => daily] [ERROR] releases: [enabled => true, update => daily] [ERROR] , ...], ...] [ERROR] -> [Help 1]

Plugin's config is:

<plugin>
    <groupId>com.github.hazendaz.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.0.5</version>
    <configuration>
        <effort>Max</effort>
        <threshold>Low</threshold>
        <excludeFilterFile>${basedir}/findbugs-exclude.xml</excludeFilterFile>
        <plugins>
            <plugin>
                <groupId>com.mebigfatguy.fb-contrib</groupId>
                <artifactId>fb-contrib</artifactId>
                <version>7.0.2</version>
            </plugin>
        </plugins>
    </configuration>
</plugin>

Not sure, where I should report this, so will leave here.

[hazendaz]

@anatoliy-balakirev My bad on this. I updated a little too far with maven best I understand at the moment. I dropped back two import changes and switched to maven-compat. Issue is fixed. I'm going to release 3.0.6 shortly. Keep an eye out for it and let me know if it fixes your issue as I believe it will.

[hazendaz]

@anatoliy-balakirev It's released, should be in central in a couple of hours.

[anatoliy-balakirev]

@hazendaz Yep, it works now. Thanks a lot!

[iloveeclipse]

@KengoTODA : we schould change the link in spotbugs.github.io to point to some page where we describe which plugin to use with maven.

[KengoTODA]

@iloveeclipse OK I will propose two PRs: one is for migration guide in new site, another is for usage page in spotbugs.github.io.

@hazendaz Do you have web page for this forked repository? If not, I'll use spotbugs branch in your repo.

[hazendaz]

Branch is fine as bulk of underlying project still says findings all over.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Kengo TODA notifications@github.com Sent: Sunday, July 2, 2017 1:42:50 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@iloveeclipsehttps://github.com/iloveeclipse OK I will propose two PRs: one is for migration guide in new sitehttp://spotbugs.readthedocs.io/en/latest/migration.html#findbugs-maven-plugin, another is for usage page in spotbugs.github.iohttps://spotbugs.github.io/#using-spotbugs.

@hazendazhttps://github.com/hazendaz Do you have web page for this forked repository? If not, I'll use spotbugs branch in your repohttps://github.com/hazendaz/findbugs-maven-plugin/tree/spotbugs.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-312472377, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho09WaNT7BpKUr_0suzTZhxJP1B2Aks5sJy3agaJpZM4KqpZB.

[iloveeclipse]

@hazendaz : can you please create the maven version for RC4 build?

In general: it would be very good if we somehow could synchronize maven plugin and spotbugs releases. Any ideas how? Does it makes sense if the fork you maintain would just move to the spotbugs organization as spotbugs-maven project?

[hazendaz]

I think that makes sense. Let me take a look to see best way to accomplish this. I'd sort of like to see it still forked from original but I've given up hope it's getting merged back. And my fork/branch has made it a lot more difficult to get approved for use in my corporate environment. I'm thinking I go ahead and merge changes to my master then give access over to spot bugs then refork from there. That sound about right?

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Andrey Loskutov notifications@github.com Sent: Friday, July 28, 2017 11:46:38 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@hazendazhttps://github.com/hazendaz : can you please create the maven version for RC4 build?

In general: it would be very good if we somehow could synchronize maven plugin and spotbugs releases. Any ideas how? Does it makes sense if the fork you maintain would just move to the spotbugs organization as spotbugs-maven project?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-318689134, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho9zKfzUHF5HYEJRAmKYqPmh-ZZoEks5sSgJdgaJpZM4KqpZB.

[iloveeclipse]

@hazendaz I've invited you to project team - if you need something else to proceed, just ask.

[hazendaz]

Thanks. Interesting enough a lot of my outstanding pull requests got merged to findings plugin a little while ago. I'm at work now but I'll reach out on that project to see what they think. They might want findings to stay as is for now and with remotes all in a good spot both could continue without too much in diverging at the moment. Anyway I'll first cut next release then figure out the rest this weekend. Hopefully having this resolved by sunday.

Thanks,

Jeremy

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Andrey Loskutov notifications@github.com Sent: Friday, July 28, 2017 1:40:27 PM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@hazendazhttps://github.com/hazendaz I've invited you to project team - if you need something else to proceed, just ask.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-318717592, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho4F1TOOWKX7nv261ervSbJuYjA_cks5sSh0LgaJpZM4KqpZB.

[hazendaz]

@iloveeclipse While trying to work out how to land this I went ahead and cut a release under my location aligning to spotbugs 3.1.0-RC4 along with version number. I've opened a discussion over on findbugs maven plugin to get a bit of feedback before moving further. Hopefully will have that figured out in a few days.

I have also now joined spotbugs org. Thanks for the invite.

[iloveeclipse]

@hazendaz - you are welcome, it is very important to have people on board with maven knowledge (I'm not the one :).

[hazendaz]

@iloveeclipse I transferred over the copy of findbugs I have. Can you grant me admin access on that one so I can start working to rebrand it away from findbugs? First off the project name needs to be changed to spotbugs-maven-plugin and beyond that the core work which now isn't much as original author accepted most everything is on a separate branch. So I want to get that all aligned and then work on getting the word 'findbugs' out of there as much as possible.

[iloveeclipse]

@hazendaz : you have admin access now.

[hazendaz]

Cool thanks. I'll get going on this later tonight.

Would it make sense to go ahead and release cuts to central for each version cut of spot bugs or should just the next version be starting point?

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Andrey Loskutov notifications@github.com Sent: Thursday, August 3, 2017 12:39:28 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@hazendazhttps://github.com/hazendaz : you have admin access now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-319865890, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho67RalrE_v7tI9KzSA5i3GPf4HXvks5sUU7_gaJpZM4KqpZB.

[iloveeclipse]

If you could cut a version for RC4, it would be a good start, going back does not make sense. Please once you do this, update SpotBugs homepage / manual documentation or open ticket to do so. Also it would be great if you could draft a small readme in the new project how to build and release it to maven repos.

[hazendaz]

@iloveeclipse Basics are up on plugin now. Since I already cut RC4 under old tag that probably is good enough for the moment. I'll add a redirect pom on next release and then switch it over. For now, added a couple of badges and rebranding so the plugin is looking more like spotbugs. I'm also using spotbugs branch as main branch there for time being since I got traction on findbugs maven plugin and there are enough valid issues over there that I think fixing at source is a good idea then merging into this line.

[hazendaz]

@KengoTODA Can you go over to sonatype jira and reply on this jira ticket (https://issues.sonatype.org/browse/OSSRH-27535)? I need to get access so I can push spotbugs-maven-plugin from here. At the moment not sure where they were looking since github is showing me as part of the group but assuming they looked only at this repo rather than overall or others.

[KengoTODA]

@hazendaz I've commented as https://issues.sonatype.org/browse/OSSRH-27535?focusedCommentId=426063&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-426063 please confirm.

[hazendaz]

Confirmed. Thanks.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Kengo TODA notifications@github.com Sent: Monday, August 7, 2017 4:31:26 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

@hazendazhttps://github.com/hazendaz I've commented as https://issues.sonatype.org/browse/OSSRH-27535?focusedCommentId=426063&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-426063 please confirm.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-320602801, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho16l8zLipesBxmrgtBgQVjJiSWr3ks5sVstegaJpZM4KqpZB.

[iloveeclipse]

What is the status of this task? Can we close it as fixed?

[hazendaz]

I need to push the first official release under this group is. I'll do that tonight so this can be closed.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Andrey Loskutov notifications@github.com Sent: Thursday, August 10, 2017 9:52:47 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

Assigned #8https://github.com/spotbugs/spotbugs/issues/8 to @hazendazhttps://github.com/hazendaz.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#event-1200969514, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho7UqmffDORjB-1UDhdHVTzVXz80Bks5sWwsvgaJpZM4KqpZB.

[hazendaz]

I'm going to hold off pushing for now until I get this more friendly to spotbugs full usage including the mojo. I'll try to get this out this weekend. You probably can still close this and just point to the last I released under my branding. It's on RC4. But manual runs like 'mvn spotbugs:findbugs' are required on that at the moment which I want to fix.

[KengoTODA]

I found one TODO:

• [ ] Update FAQ in official manual, it needs to guide users to the latest Maven plugin.

[hazendaz]

Thanks I'll look to fix that hopefully this weekend.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: Kengo TODA notifications@github.com Sent: Sunday, August 20, 2017 9:29:53 AM To: spotbugs/spotbugs Cc: Jeremy Landis; Mention Subject: Re: [spotbugs/spotbugs] Maven Support (#8)

I found one TODO:

• Update FAQ in official manualhttp://spotbugs.readthedocs.io/en/latest/faq.html#q7-where-is-the-maven-plugin-for-spotbugs, it needs to guide users to the latest Maven plugin.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/spotbugs/spotbugs/issues/8#issuecomment-323585091, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA7ho9z6mtb40qy8L4v_7ufp1n_Bx5qeks5saDTRgaJpZM4KqpZB.

[iloveeclipse]

Ping. We are close to RC6 (waiting on ASM6 release only). Would be great to have everything prepared on the maven side too.

[hazendaz]

@iloveeclipse Need some feedback. Should I pretty much just leave findbugs plugin as-is or rebrand it entirely? I'm trying to rebrand it entirely but that will take a bit longer. If I leave it as-is, I can release pretty much now. It's a lot to actually rebrand it entirely but if done it would support running both findbugs maven plugin and spotbugs maven plugin if someone wanted to actually do that.