Use SpotBugs to spot bugs.

[sprocter]

Summary

We should use SpotBugs to find issues with OSATE code, and if those issues are severe enough, block pull requests that introduce them.

Tasks

• Install / configure SpotBugs
• Add installation to Oomph
• Add configuration to Oomph
• Announce SpotBugs usage / enforcement timeline on OSATE discussion list
• Add SpotBugs to Maven build
• Begin rejecting buggy pull requests

child of #1570

[lwrage]

For Jenkins we will need the Jenkins Warnings plugin.

[lwrage]

Observations:

• Running Spotbugs on the build server adds about 20min to the build.
• Goal spotbugs:spotbugs is needed for build without failing, bind to verify phase
• Security plugin added via pom configuration, manually in dev environment
• Most warnings are false positives
• Focus on >= medium confidence, >= troubling (>=14)
• Run security only?

[sprocter]

Is the restriction to security bugs only for performance reasons? If so, I'd be fine with that for the pull request builder, but I think we may want to run the full set for the nightly build.