Findbugs Analysis should be skipped when there are no Findbugs Rules activated in QualityProfile

[theatricshrink]

Currently (Findbugs Plugin 3.4.4, Sonar 5.6) as soon as the Findbugs Plugin is installed the plugin is loaded and executed for every project no matter if findbugs rules are activated in the used quality profile.
Imho the execution should be skipped when no rules are included.

[lweitzel]

Having the same exact issue with plugin 3.4.4 we just updated Friday and Sonar 5.6.3

[cniweb]

We have the same issue!

[h3xstream]

I have some déjà-vu impression on this one.

The current implementation verify that At least one rule is activate from FindBugs, FindSecBugs, FB-Contrib or the JSP repository.
https://github.com/SonarQubeCommunity/sonar-findbugs/blob/master/src/main/java/org/sonar/plugins/findbugs/FindbugsSensor.java#L92

  @Override
  public void execute(SensorContext context) {
    if(!hasActiveFindbugsRules() && !hasActiveFbContribRules() && !hasActiveFindSecBugsRules() && !hasActiveFindSecBugsJspRules()){
      return;
    }

Can you guys make sure that both Java and JSP default or selected profile does not contain a FindBugs rules.

[theatricshrink]

Maybe it has to do with the project being set up as multi module, but for me it does not work.
I ran a test with a quality profile with 1 enabled java rule (squid:S1132) on a 3 module project.

Relevant Parts of the log see below (full log attached, as well as screens from the quality profile)
sonarlog.txt

.
08:37:02 INFO: Quality profile for java: Test
.
.
08:37:13 INFO: Sensor FindBugs Sensor
08:37:13 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_focus\findbugs\findsecbugs-plugin.jar
08:37:13 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_focus\findbugs-result.xml
08:37:16 INFO: Sensor FindBugs Sensor (done) | time=3120ms
.
.
08:37:21 INFO: Sensor FindBugs Sensor
08:37:21 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_api-gateway\findbugs\findsecbugs-plugin.jar
08:37:21 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_api-gateway\findbugs-result.xml
08:37:26 The following classes needed for analysis were missing:
08:37:26   javax.ws.rs.core.Response$Status
08:37:26   javax.ws.rs.core.Response
08:37:26   javax.ws.rs.core.Response$ResponseBuilder
08:37:26 INFO: Sensor FindBugs Sensor (done) | time=5429ms
.
.
08:37:28 INFO: Sensor FindBugs Sensor
08:37:28 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_api-public\findbugs\findsecbugs-plugin.jar
08:37:28 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_STRICT_api-public\findbugs-result.xml
08:37:35 The following classes needed for analysis were missing:
08:37:35   javax.ws.rs.core.Application
08:37:35   javax.ws.rs.container.ContainerRequestFilter
08:37:35   javax.ws.rs.ext.ParamConverterProvider
08:37:35   javax.ws.rs.ext.ParamConverter
08:37:35   javax.ws.rs.core.SecurityContext
08:37:35   javax.ws.rs.core.Response$Status
08:37:35   javax.ws.rs.core.Response
08:37:35   javax.ws.rs.core.Response$ResponseBuilder
08:37:35   javax.ws.rs.core.MediaType
08:37:35   javax.ws.rs.container.ContainerRequestContext
08:37:35   javax.ws.rs.core.UriInfo
08:37:35   org.glassfish.jersey.server.ContainerRequest
08:37:35   javax.ws.rs.core.Form
08:37:35   javax.ws.rs.core.MultivaluedMap
08:37:35   javax.ws.rs.core.UriBuilder
08:37:35 INFO: Sensor FindBugs Sensor (done) | time=6755ms
.
.
.

[cniweb]

We have a Quality Profile only with one rule (squid:S1451) and the scan fails with:

08.02.2017 11:01:28 INFO: Sensor FindBugs Sensor
08.02.2017 11:01:32 WARN: Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your project.
08.02.2017 11:01:38 INFO: ------------------------------------------------------------------------
08.02.2017 11:01:38 INFO: EXECUTION FAILURE
08.02.2017 11:01:38 INFO: ------------------------------------------------------------------------
08.02.2017 11:01:38 INFO: Total time: 5:50.200s
08.02.2017 11:01:38 INFO: Final Memory: 66M/1730M
08.02.2017 11:01:38 INFO: ------------------------------------------------------------------------
08.02.2017 11:01:38 ERROR: Error during SonarQube Scanner execution
08.02.2017 11:01:38 java.lang.IllegalStateException: Can not execute Findbugs

[rjbrandt]

I just did some more testing around this issue. findbugs 3.4.4 fails when you don't set the property sonar.language so the workaround is to specifically set the language, this means that Findbugs 3.4.4 will not work for multi language projects unless you add a sonar-project.properties in all directories. this needs to be fixed for us to be able to upgrade the plugin.

Here is the error without the language set.

WARN: Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to ana
lyse your project.
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 9.921s
INFO: Final Memory: 62M/514M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
java.lang.IllegalStateException: Can not execute Findbugs
        at org.sonar.plugins.findbugs.FindbugsExecutor.execute(FindbugsExecutor.java:169)
        at org.sonar.plugins.findbugs.FindbugsSensor.execute(FindbugsSensor.java:96)
        at org.sonar.batch.sensor.SensorWrapper.analyse(SensorWrapper.java:57)
        at org.sonar.batch.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:58)
        at org.sonar.batch.phases.SensorsExecutor.execute(SensorsExecutor.java:50)
        at org.sonar.batch.phases.AbstractPhaseExecutor.execute(AbstractPhaseExecutor.java:83)
        at org.sonar.batch.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:192)
        at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:142)
        at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:127)
        at org.sonar.batch.scan.ProjectScanContainer.scan(ProjectScanContainer.java:241)
        at org.sonar.batch.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:236)

[stoyankanev]

Hi,
I also would like to vote for this issue because it cause a real performance degradation! We are using:

• Sonarqube 6.7.3 LTS
• SonarJava plugin 5.2.0.13398
• FindBugs plugin 3.7.0
  We have exceeded the default 10 mins of sonar.findbugs.timeout...

[KengoTODA]

Please propose your fix via PR! :)

[stoyankanev]

Concerning my previous comment I have executed some additional debugging. The plugin activation is caused by default JSP QProfile rules.

[INFO] Sensor FindBugs Sensor [findbugs]
[WARNING] findsecbugs-jsp RuleKey=XSS_REQUEST_PARAMETER_TO_JSP_WRITER Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_XSLT Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_SPRING_EVAL Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_INCLUDE Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=XSS_JSP_PRINT Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_JSTL_OUT Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=XSS_REQUEST_PARAMETER_TO_JSP_WRITER Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_XSLT Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_SPRING_EVAL Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_INCLUDE Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=XSS_JSP_PRINT Profile Name=FindBugs Security JSP
[WARNING] findsecbugs-jsp RuleKey=JSP_JSTL_OUT Profile Name=FindBugs Security JSP
[INFO] Loading findbugs plugin: C:\git\com.sap.ldi.qi.reporting\target\sonar\findbugs\findsecbugs-plugin.jar
[INFO] Findbugs output report: C:\git\com.sap.ldi.qi.reporting\target\sonar\findbugs-result.xml
[INFO] Sensor FindBugs Sensor [findbugs] (done) | time=10889ms

It seems that it will not be so easy to be fixed. But I found a workaround that works 😸

• I created an empty JSP Qprofile, f.e. EmptyProfile
• I did it default one

[INFO] Sensor FindBugs Sensor [findbugs]
[INFO] Sensor FindBugs Sensor [findbugs] (done) | time=13ms

That's all for now. 😄

[phinehasz]

change to private boolean hasActiveRules(String repoSubstring) { return profile.getActiveRules().stream().anyMatch(activeRule -> activeRule.getRepositoryKey().equals(repoSubstring) ); }
resolve this iusse

[sydowma]

Having the same exact issue with plugin 4.0.3 we just updated Friday and Sonar 8.9.1

[gtoison]

@magaofei the issue is most likely that the FindBugs JSP quality profile is your default profile for JSP
Even if you do not have any JSP files SonarQube will activate it for all your projects (because it is the default profile). Since SonarQube tells the plugin that there are some active JSP rules, it runs an analysis.

So the workaround is to have a default JSP profile that does not contain any Findbugs rules.
This should be fixed by PR #446 once released

[gtoison]

The fix for this issue is released here: https://github.com/spotbugs/sonar-findbugs/releases/tag/4.0.6
I will submit it in the market place soon but it would be great if anyone could try it out

[gtoison]

Version 4.0.6 has been released in the SonarQube marketplace so please consider upgrading to get the fix for this issue

[gerardgorrion]

Version 4.0.6 has been released in the SonarQube marketplace so please consider upgrading to get the fix for this issue

Just yesterday, we try to update our findbug plugin to 4.0.6 and today we see this error into jenkins jobs:

WARN: Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your (sub)project

Some idea to resolve?

[gtoison]

SpotBugs needs the compiled .class files to analyze the project, this error message indicates that it could not find them.
Could you please file a separate issue indicating more details about the project you're analyzing (language, versions, folder structure, etc.)?
How do you build the project and where are the compiled .class files when you analyze it with SonarQube?

[gtoison]

This issue should be fixed in version >= 4.0.6