How to run Spotbugs via Maven?

Asked 11/10, 2017 at 13:4 Answered 24/9, 2020 at 9:34

Solved java maven continuous-integration static-analysis spotbugs

This is my pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0   
 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion> 

     <groupId>de.stackoverflow.test</groupId>
     <artifactId>HelloWorld</artifactId>
     <version>1.0-SNAPSHOT</version>
     <packaging>jar</packaging> 
     <name>HelloWorld</name> 

     <dependencies>   
             <dependency>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-annotations</artifactId>
                <version>3.1.0-RC5</version>
                <optional>true</optional>
            </dependency>
     </dependencies>

     <build>        
        <plugins>
           <plugin>
           <groupId>com.github.hazendaz.spotbugs</groupId>
           <artifactId>spotbugs-maven-plugin</artifactId>
           <version>3.0.6</version>
           <dependencies>

           <dependency>
           <groupId>com.github.spotbugs</groupId>
           <artifactId>spotbugs</artifactId>
           <version>3.1.0-RC5</version>
           </dependency>
           </dependencies>
           </plugin>
        </plugins>
     </build>

mvn compile, mvn package and mvn site run without any problems. Build Success.

The project consists of a single HelloWorld.java with some bugs in it.

mvn site does not show me any bugs or errors. How do I get SpotBugs to scan my code?

Piliform answered 11/10, 2017 at 13:4 Comment(2)

Why are you defining src/main/java as resource directory? and why redefining conventions ? like source directoy ? – Buseck 11/10, 2017 at 16:0

Good question. It's definitely not necessary. I've updated the sourcecode. – Piliform 12/10, 2017 at 9:12

Use spotbugs-maven-plugin version 3.1.0-RC6, then you can find problem by mvn spotbugs:spotbugs. You may refer official document in readthedocs.

Eringo answered 18/10, 2017 at 4:6 Comment(0)

The spotbugs:check mojo runs by default in the verify phase of the maven lifecycle. This phase is located after compile and package.

To trigger the spotbugs check, invoke Maven with anything >= verify, for instance mvn verify or mvn install.

You could also attach the plugin to another lifecycle phase, I presume, like this:

<execution>
  <id>check</id>
  <phase>test</phase>
  <goals>
    <goal>check</goal>
  </goals>
</execution>

I have not tested that, though.

Dermatologist answered 9/12, 2019 at 7:19 Comment(0)

For spotbugs to run as part of mvn site you just need to ensure the plugin is in the <reporting> section in your pom.xml:

  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.0.4</version>
      </plugin>
    </plugins>
  </reporting>

The <reporting> element is at the same level as the <build> element.

I'd also add that a useful convenience method to run spotbugs on a project without adding anything to the pom is:

mvn com.github.spotbugs:spotbugs-maven-plugin:spotbugs

Then inspect target/spotbugsXml.xml.

Even more convenient sometimes is the gui goal:

mvn com.github.spotbugs:spotbugs-maven-plugin:gui

Briar answered 24/9, 2020 at 9:34 Comment(0)

My issue was due to incorrectly migrating from Findbugs - see https://spotbugs.readthedocs.io/en/stable/migration.html#for-spotbugs-users.

Also, for testing whether spotbugs is working, you can just run

mvn spotbugs:check

And see if the target\spotbugsXml.xml file is produced.

Upbuild answered 12/4, 2020 at 14:8 Comment(0)

Recommended topics

Hot tags