Stack Overflow
Stack Overflow

Questions tagged [spotbugs]

SpotBugs is a program which uses static analysis to look for bugs in Java code. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.

SpotBugs is a program which uses static analysis to look for bugs in Java, Groovy, Kotlin, Scala, JSP and Closure code.

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with the support of its community. It is free software, distributed under the terms of the Lesser GNU Public License.

SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9.

165 questions
3
votes
0 answers

REC_CATCH_EXCEPTION error (Exception is caught when Exception is not thrown)

I am seeing a weird behaviour where I added some code inside a try block and now I am getting the spotbug error REC_CATCH_EXCEPTION (Exception is caught when Exception is not thrown) for some reason. So basically originally, my code was something…
12435432nm
  • 121
  • 4
  • 19
3
votes
1 answer

How to export all rules from SonarQube Quality Profile to SpotBugs, Checkstyle and PMD rule files

Issue I am using SonarQube 7.9.1. I have Quality Profile containing ~450 active rules for Java code. There are exporters for FindBugs, PMD and Checkstyle in SonarQube, but they are not exporting all available rules. After export ~20 rules are…
M. Twarog
  • 2,418
  • 3
  • 21
  • 39
3
votes
1 answer

Path traversal vulnerabilities not found at Scala code

I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins. The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala…
Maxi Lagos
  • 33
  • 2
3
votes
2 answers

Spotbugs on a single file?

I am using Spotbugs plugin within Eclipse IDE. I can run the Spotbugs over a whole project, which gives me the impression that the tool needs to build the project to present its analysis report. But the documentation says that it's a static analysis…
Nasif Imtiaz Ohi
  • 1,563
  • 5
  • 24
  • 45
3
votes
1 answer

How to configure SpotBugs maven plugin to create a full report but check for high threshold only?

I have a legacy maven project and want to integrate the FindBugs successor SpotBugs to create a report of all issues but fail if there a High priority issues only (for now). It is easy to create the report only without fail ing or to fail on a…
Arne Burmeister
  • 20,046
  • 8
  • 53
  • 94
3
votes
2 answers

Is SpotBugs reporting a false positive on not closing a resource here?

I have code like this: public static MyObject forId(long myObjectId, Connection cxn) throws SQLException { try (PreparedStatement stmt = cxn.prepareStatement(selectMyObjectById))) { stmt.setLong(1, myObjectId); try (ResultSet res…
a_physicist
  • 71
  • 5
3
votes
2 answers

Servlet reflected cross site scripting vulnerability

I've analyzed a code with Findbugs and it reported a warning for servlet reflected cross site scripting vulnerability. Code is like that and the 3rd line throws the warning: String tickName = request.getParameter("ticko"); PrintWriter w =…
kamaci
  • 72,915
  • 69
  • 228
  • 366
2
votes
0 answers

SpotBugs "Maybe" Detectors

There are many detectors in SpotBugs (mostly find-sec-bugs, but also fb-contrib) that are more an indicator to the developer to come check something out and make sure there isn't an issue. These detectors flag a particular pattern and can't really…
Kevin Seymour
  • 766
  • 9
  • 25
2
votes
1 answer

spotbugs failed: java.lang.UnsupportedOperationException: The Security Manager is deprecated and will be removed in a future release

I'm getting an error while running mvn clean install. Locally, I have jdk 11 installed. The project is also using jdk 11. I am using a Macbook pro with an M1 chip.
user11255252
2
votes
0 answers

How to integrate Gradle, IntelliJ, and SpotBugs?

I have a Gradle project with subprojects and a somewhat complicated build.gradle file. I imagine that running SpotBugs from Gradle will make it easier because then SpotBugs can pick up all the classpath configuration and whatnot from Gradle. It…
hibbelig
  • 510
  • 6
  • 15
2
votes
0 answers

Why SpotBugs highlights inconsistent error messages in methods marked with org.jetbrains.annotations.NotNull annotation

Here are small code snippets of methods marked with org.jetbrains.annotations.NotNull. I find errors brought up by SpotBugs for those methods to be inconsistent with what actually can happened within them. // Here SpotBugs informs that method that…
Alexander Illarionov
  • 21
  • 1
2
votes
2 answers

Gradle spotbugs plugin

I am new to Gradle and trying to configure Spotbugs for my Spring Boot multi module project. In my parent, build.gradle, buildscript { dependencies { classpath "org.springframework.boot:spring-boot-gradle-plugin:${versionSpringBoot}" …
user1578872
  • 7,808
  • 29
  • 108
  • 206
2
votes
1 answer

fix for spot bug - HRS_REQUEST_PARAMETER_TO_HTTP_HEADER

I am executing below code inside servlet and getting this spot bugs - HRS_REQUEST_PARAMETER_TO_HTTP_HEADER Bug: HTTP parameter directly written to HTTP header output in SSOIdpLogoutRedirect.doPost(HttpServletRequest, HttpServletResponse) String…
ashish gupta
  • 135
  • 5
  • 16
2
votes
1 answer

False positive Spring LDAP from findbugs-sec-plugin

It looks like it does not take into account that Filter.toString/encode can actually encode LDAP filter correctly. So if I have a flags something like Filter filter = blahblah; ldapTemplate.search("", filter.toString()); it would flag that this…
Nat
  • 3,587
  • 20
  • 22
2
votes
2 answers

Spotbugs to find bugs in java file

Currently we are running spot bugs against jars to find the bugs. Is there any way to run spotbugs over a single java file to find the list of bugs in it
jon
  • 213
  • 1
  • 5
  • 18
1 2
3
10 11