Maven configuration

Janosch Schwalm edited this page May 6, 2018 · 16 revisions

1. POM configuration

The first step is to configure the SpotBugs Maven Plugin in your root pom.xml.

/pom.xml

[...]
<build>
    <plugins>
        
        [...]
        <!-- SpotBugs Static Analysis -->
        <plugin>
            <groupId>com.github.spotbugs</groupId>
            <artifactId>spotbugs-maven-plugin</artifactId>
            <version>3.1.1</version>
            <configuration>
                <effort>Max</effort>
                <threshold>Low</threshold>
                <failOnError>true</failOnError>
                <includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
                <excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
                <plugins>
                    <plugin>
                        <groupId>com.h3xstream.findsecbugs</groupId>
                        <artifactId>findsecbugs-plugin</artifactId>
                        <version>LATEST</version> <!-- Auto-update to the latest stable -->
                    </plugin>
                </plugins>
            </configuration>
        </plugin>
    </plugins>
</build>

<includeFilterFile> : Specify the filter file limiting the research to security category only. (Disabling the detectors bundle with FindBugs not related to security).

<plugins> : Specify "Find Security Bugs" by its artifact id.

/spotbugs-security-include.xml

<FindBugsFilter>
    <Match>
        <Bug category="SECURITY"/>
    </Match>
</FindBugsFilter>

/spotbugs-security-exclude.xml

<FindBugsFilter>
</FindBugsFilter>

2. Doing a scan

mvn compile
mvn findbugs:findbugs

Keep in mind the goal findbugs:findbugs requires the compiled code to be present in /target/classes. (Make sure your jsp are pre-compiled for example)

3. Analyzing the result

It is possible to consult the results in multiple ways.

Official GUI

mvn findbugs:gui

XML report

A XML report is generated at target/findbugsXml.xml. This file format is read by Jenkins, for example.


References:

FindBugs Maven Plugin : Reference for the POM configuration and the different goals.