Maven | SpotBugs: Bug Detection
  1. SpotBugs Maven Plugin
  2. The help goal
  3. Configuration and Usage Examples
  1. SpotBugs Maven Plugin
    The SpotBugs Maven Plugin provides static analysis capabilities to detect potential bugs and security vulnerabilities in Java bytecode using the SpotBugs library.

    Plugin coordinates:
    • Group Id: com.github.spotbugs
    • Artifact Id: spotbugs-maven-plugin
    • Version: 4.9.3.0

    Goal Prefix: spotbugs

    The spotbugs plugin provides the following goals:
    • help: Displays help information on spotbugs-maven-plugin and its available parameters.

    • spotbugs: Analyzes the target project's compiled bytecode using SpotBugs and generates a detailed bug report. This goal runs in the verify phase by default.

    • check: Executes SpotBugs analysis like the spotbugs goal, but fails the build if any bugs are found based on configured thresholds. This goal also runs in the verify phase by default.

    • gui: Launches the SpotBugs GUI application to interactively browse analysis results. Requires previous execution of the spotbugs goal to generate analysis data.

    • exclude-filter: Generates an exclude filter XML file to suppress specific bug patterns or classes from analysis.

    Key configuration options:
    • effort: Min, Default, Max (analysis thoroughness - higher effort takes longer but finds more bugs).
    • threshold: High, Medium, Low (minimum bug confidence level - Low finds more potential issues).
    • excludeFilterFile: XML file to exclude specific bug patterns or source files.
    • includeFilterFile: XML file to include only specific bug patterns or source files.
    • failOnError: Whether to fail build when bugs are found (default: true for check goal, false for spotbugs goal).
    • xmlOutput: Generate XML output file (default: false).
    • skip: Skip SpotBugs execution entirely (default: false).
    • maxHeap: Maximum heap size for SpotBugs analysis (e.g., "1024").
  2. The help goal
    The help goal provides general information about the SpotBugs plugin, including available goals and their parameters.

    Use the detail parameter to get detailed information about all goals and their configuration options:
    # Display basic plugin information
$ mvn spotbugs:help

# Display detailed information about all goals and parameters
$ mvn spotbugs:help -Ddetail=true
    If you need to use the plugin's full coordinates instead of its prefix, you can do that as follows:
    # Display basic plugin information
$ mvn com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0:help

# Display detailed information about all goals and parameters
$ mvn com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0:help -Ddetail=true
    You can also use the Maven help plugin to describe the SpotBugs plugin:
    # Basic plugin description using help plugin
$ mvn help:describe -Dplugin=com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0

# Detailed plugin description with all parameters
$ mvn help:describe -Dplugin=com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0 -Ddetail=true
    To get specific information about a goal, use the goal parameter:
    # Help for the 'spotbugs' goal
$ mvn com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0:help -Dgoal=spotbugs -Ddetail=true

# Help for the 'check' goal using the help plugin
$ mvn help:describe -Dplugin=com.github.spotbugs:spotbugs-maven-plugin:4.9.3.0 -Dgoal=check -Ddetail=true
    Note: When using the plugin's help goal directly, you don't need to specify the version if the plugin is already configured in your POM or if you want to use the latest version.
  3. Configuration and Usage Examples
    Basic Configuration in pom.xml:
    <build>
    <plugins>
        <!-- maven-site-plugin -->

        <!-- SpotBugs Maven Plugin -->
        <plugin>
            <groupId>com.github.spotbugs</groupId>
            <artifactId>spotbugs-maven-plugin</artifactId>
            <version>4.9.3.0</version>
            <configuration>
                <effort>Max</effort>
                <threshold>Low</threshold>
                <xmlOutput>true</xmlOutput>
                <failOnError>true</failOnError>
            </configuration>
            <executions>
                <execution>
                    <goals>
                        <goal>check</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>
    Reporting Configuration:
    <reporting>
    <plugins>
        <plugin>
            <groupId>com.github.spotbugs</groupId>
            <artifactId>spotbugs-maven-plugin</artifactId>
            <version>4.9.3.0</version>
            <configuration>
                <effort>Max</effort>
                <threshold>Medium</threshold>
                <includeFilterFile>spotbugs-security-include.xml</includeFilterFile>
                <plugins>
                    <plugin>
                        <groupId>com.h3xstream.findsecbugs</groupId>
                        <artifactId>findsecbugs-plugin</artifactId>
                        <version>1.14.0</version>
                    </plugin>
                </plugins>
            </configuration>
        </plugin>
    </plugins>
</reporting>
    Command Line Usage:
    # Run basic SpotBugs analysis
$ mvn spotbugs:spotbugs

# Run analysis and fail build if bugs found
$ mvn spotbugs:check

# Launch SpotBugs GUI (requires previous analysis)
$ mvn spotbugs:gui

# Run with specific configuration overrides
$ mvn spotbugs:spotbugs -Dspotbugs.effort=Max -Dspotbugs.threshold=Low

# Skip SpotBugs analysis
$ mvn install -Dspotbugs.skip=true
    Integration with Build Lifecycle:
    # Run as part of standard build process
$ mvn clean compile test spotbugs:check

# Generate site reports including SpotBugs
$ mvn clean compile site
    Report Output Locations:
    • HTML Report: target/site/spotbugs.html (generated during site phase)
    • XML Report: target/spotbugsXml.xml (when xmlOutput=true)
© 2025  mtitek