Skip to content
Example to run SpotBugs from java with findsecbugs plugin.
Java
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.mvn/wrapper
src
.gitignore
README.md
mvnw
mvnw.cmd
pom.xml

README.md

spotbugs-api-with-findsecbugs

Example to run SpotBugs from java with findsecbugs plugin. It analyzes the webgoat jar, which is know to contain a number of bugs.

The output should be

Custom plugin added: Plugin:com.h3xstream.findsecbugs
Finished SpotBugs analysis
Results: 
172 bugs found
[Dm: Method invokes inefficient new String(String) constructor,SECCRLFLOG: Potential CRLF Injection for logs,MS: Field isn't final and can't be protected from malicious code,MS: Field should be package protected,NP: Load of known null value,NP: Method call passes null for non-null parameter,Se: Non-transient non-serializable instance field in serializable class,STCAL: Call to static DateFormat,STCAL: Static DateFormat,ST: Write to static field from instance method,ST: Write to static field from instance method,Dm: Method invokes inefficient new String() constructor,SECXSS2: Potential XSS in Servlet,DLS: Dead store to local variable,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,BC: Equals method should not assume anything about the type of its argument,Dm: Reliance on default encoding,Dm: Reliance on default encoding,Dm: Reliance on default encoding,Dm: Reliance on default encoding,Dm: Reliance on default encoding,Bx: Method invokes inefficient Number constructor; use static valueOf instead,Bx: Method invokes inefficient Number constructor; use static valueOf instead,HE: Class defines equals() and uses Object.hashCode(),NP: equals() method does not check for null argument,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,ODR: Method may fail to close database resource,SECPTI: Potential Path Traversal (file read),SECPTI: Potential Path Traversal (file read),SECPTI: Potential Path Traversal (file read),SECPTI: Potential Path Traversal (file read),SQL: Nonconstant string passed to execute or addBatch method on an SQL statement,ST: Write to static field from instance method,SECSSSRFUC: URLConnection Server-Side Request Forgery (SSRF) and File Disclosure,Bx: Method invokes inefficient Number constructor; use static valueOf instead,HE: Class defines equals() and uses Object.hashCode(),Dm: Reliance on default encoding,OS: Method may fail to close stream,SECPTI: Potential Path Traversal (file read),REC: Exception is caught when Exception is not thrown,UrF: Unread public/protected field,HE: Class inherits equals() and uses Object.hashCode(),HE: Class inherits equals() and uses Object.hashCode(),OBL: Method may fail to clean up stream or resource,ODR: Method may fail to close database resource,HE: Class inherits equals() and uses Object.hashCode(),HE: Class inherits equals() and uses Object.hashCode(),HE: Class inherits equals() and uses Object.hashCode(),HE: Class inherits equals() and uses Object.hashCode(),OBL: Method may fail to clean up stream or resource,ODR: Method may fail to close database resource,HE: Class inherits equals() and uses Object.hashCode(),OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,ODR: Method may fail to close database resource,SECSQLIJDBC: Potential JDBC Injection,Eq: Class defines compareTo(...) and uses Object.equals(),SECPTI: Potential Path Traversal (file read),REC: Exception is caught when Exception is not thrown,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,SECPTI: Potential Path Traversal (file read),SECPTI: Potential Path Traversal (file read),Dm: Reliance on default encoding,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,NP: Possible null pointer dereference due to return value of called method,ST: Write to static field from instance method,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECCRLFLOG: Potential CRLF Injection for logs,ERRMSG: Information Exposure Through An Error Message,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,RCN: Redundant nullcheck of value known to be non-null,SECSPRCSRFURM: Spring CSRF unrestricted RequestMapping,Bx: Method invokes inefficient Number constructor; use static valueOf instead,Bx: Method invokes inefficient Number constructor; use static valueOf instead,NP: Load of known null value,SECPTI: Potential Path Traversal (file read),OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource,Dm: Empty database password,SECHCP: Hard Coded Password,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,Bx: Method allocates a boxed primitive just to call toString,Bx: Method allocates a boxed primitive just to call toString,Bx: Method allocates a boxed primitive just to call toString,Dm: Reliance on default encoding,Dm: Reliance on default encoding,ERRMSG: Information Exposure Through An Error Message,SECPTI: Potential Path Traversal (file read),SECPTO: Potential Path Traversal (file write),RCN: Redundant nullcheck of value known to be non-null,UrF: Unread field,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead,SECRD: Regex DOS (ReDOS),SECRD: Regex DOS (ReDOS),Dm: Empty database password,SECHCP: Hard Coded Password,OBL: Method may fail to clean up stream or resource,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,OBL: Method may fail to clean up stream or resource on checked exception,ODR: Method may fail to close database resource,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SS: Unread field: should this field be static?,SECCRLFLOG: Potential CRLF Injection for logs,Dm: Reliance on default encoding,SBSC: Method concatenates strings using + in a loop,WMI: Inefficient use of keySet iterator instead of entrySet iterator,Dm: Method invokes inefficient new String(String) constructor,DMI: Code contains a hard coded reference to an absolute pathname,Eq: Class doesn't override equals in superclass,NP: Possible null pointer dereference in method on exception path,OBL: Method may fail to clean up stream or resource,SECPTI: Potential Path Traversal (file read),Se: Non-transient non-serializable instance field in serializable class,ST: Write to static field from instance method,Bx: Method invokes inefficient Number constructor; use static valueOf instead,Bx: Method invokes inefficient Number constructor; use static valueOf instead,Bx: Method invokes inefficient Number constructor; use static valueOf instead,ST: Write to static field from instance method,ST: Write to static field from instance method]



Process finished with exit code 0
You can’t perform that action at this time.