Maven configuration
The first step is to configure the SpotBugs Maven Plugin in your root pom.xml.
/pom.xml
[...]
<build>
<plugins>
[...]
<!-- SpotBugs Static Analysis -->
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.0.4</version>
<configuration>
<effort>Max</effort>
<threshold>medium</threshold>
<failOnError>true</failOnError>
<includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
<excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.12.0</version>
</plugin>
</plugins>
</configuration>
</plugin>
</plugins>
</build><includeFilterFile> : Specify the filter file limiting the research to security category only. (Disabling the detectors bundle with FindBugs not related to security).
<plugins> : Specify "Find Security Bugs" by its artifact id.
/spotbugs-security-include.xml
<FindBugsFilter>
<Match>
<Bug category="SECURITY"/>
</Match>
</FindBugsFilter>/spotbugs-security-exclude.xml
<FindBugsFilter>
</FindBugsFilter>mvn compile
mvn spotbugs:spotbugs
Keep in mind the goal spotbugs:spotbugs requires the compiled code to be present in /target/classes. (Make sure your jsp are pre-compiled for example)
It is possible to consult the results in multiple ways.
Official GUI
mvn spotbugs:gui
XML report
A XML report is generated at target/findbugsXml.xml. This file format is read by Jenkins, for example.
FindBugs Maven Plugin : Reference for the POM configuration and the different goals.
Misc configurations