Spotbugs XML report does not have instanceHash value when run using Gradle plugin

Question

I have used FindSecBugs plugin in Spotbugs to do a static security analysis of my code. Some of my projects are built using gradle and some are done using maven. I have successfully tested for maven which gives me an xml report like :

BugInstance instanceOccurrenceNum="0" instanceHash="f52576b87914efbf135c588c2449648e" cweid="117" rank="15" abbrev="SECCRLFLOG" category="SECURITY" priority="3" type="CRLF_INJECTION_LOGS" instanceOccurrenceMax="0">

It seems working fine. Next I tried to do the same for Gradle. It looks like I'm not getting the InstanceHash attribute. I use that attribute to make sure bugs aren't repeated. I get a report

BugInstance type="PATH_TRAVERSAL_IN" priority="1" rank="10" abbrev="SECPTI" category="SECURITY">

My build.gradle file:

apply plugin: "com.github.spotbugs"

    dependencies {
        spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.9.0'
      }

    spotbugs {
        toolVersion = '3.1.12'
        sourceSets = [ sourceSets.main ]
        ignoreFailures = true
       reportsDir = file("$project.buildDir/findsecbugs")
       effort = "max"
       reportLevel = "high"
       includeFilter = file("$rootProject.projectDir/fsb-include.xml")
       excludeFilter = file("$rootProject.projectDir/fsb-exclude.xml")
    }

Am I doing anything wrong? Why are some of the attributes missing in my XML report?

Ref to the issue on the official bug tracker : https://github.com/spotbugs/spotbugs-gradle-plugin/issues/161 — h3xStream, Sep 26 '19 at 20:45
Yep I know. It's just in case a fix is made on SpotBugs. People will see the fix there. — h3xStream, Sep 27 '19 at 15:29
The ticket is likely to have a response and a fix eventually. People who fall on this page - in the future - will get a response there. — h3xStream, Oct 01 '19 at 12:59

Spotbugs XML report does not have instanceHash value when run using Gradle plugin

0 Answers0