How to integrate find-sec-bugs in spotbugs?

766 Views Asked by J_aka_J At 30 April 2021 at 15:38

Recently I downloaded the findsecbugs-plugin-1.11.0.jar in order to use it in spotbugs. I copied this jar file to the folder plugin of the project spotbugs(4.1.4).

I execute spotbugs making use of ant. When I run the ant target I get the following message:

 [spotbugs] Executing SpotBugs FindBugsTask from ant task
 [spotbugs] Running SpotBugs...
 [spotbugs] The following classes needed for analysis were missing:
 [spotbugs]   apply
 [spotbugs]   applyAsInt
 [spotbugs]   test
 [spotbugs]   accept
 [spotbugs] Java Result: 3
 [spotbugs] Classes needed for analysis were missing

Do you know what extra jar files do I need?

Original Q&A

There are 2 best solutions below

h3xStream On 03 August 2021 at 05:07

Unfortunately, the Ant integration does not have plugins configuration.

Option 1 : Exec Task

You could run the command-line version of Find-Security-Bugs. You have to invoke the tool with exec task. With this, you will be able to generate XML, HTML and SARIF reports.

Option 2 : Java task

As an alternative, you can use the Java task to invoke the class edu.umd.cs.findbugs.FindBugs2 which handles the CLI interface of SpotBugs.

You can take inspiration from the Maven implementation which use under the hood the AntRunner.

ant.java(classname: "edu.umd.cs.findbugs.FindBugs2", inputstring: getSpotbugsAuxClasspath(), fork: "${fork}", failonerror: "true", clonevm: "false", timeout: "${timeout}", maxmemory: "${maxHeap}m") {
...
}

I'm not 100% sure that you can define pluginArtifacts from an Ant script. You might have to create a small plugin to do it.

Example of FindBugs2 invocation from Ant java task: SpotBugsMojo.groovy
Java task

db. On 04 May 2022 at 19:34

Although not documented in https://spotbugs.readthedocs.io/en/latest/ant.html#parameters, the Ant integration does support plugins using the pluginList parameter (see https://github.com/spotbugs/spotbugs/blob/master/spotbugs-ant/src/main/java/edu/umd/cs/findbugs/anttask/FindBugsTask.java). So,

<spotbugs home="..." ... 
          pluginList="findsecbugs-plugin-1.12.0.jar">
...
</spotbugs>

works. Try running with parameter debug="true" to see details.

How to integrate find-sec-bugs in spotbugs?

There are 2 best solutions below

Option 1 : Exec Task

Option 2 : Java task

Related Questions in JAVA

Related Questions in SPOTBUGS

Related Questions in FIND-SEC-BUGS

Trending Questions

Popular # Hahtags

Popular Questions