Monthly Archives: February 2012

There’s nothin’ wrong with the Findbugs Maven Plugin

I made a schoolboy error. I ventured down the road named “Thinking your tools are broken instead of your code”. I haven’t done that in years.

There’s nothing wrong with the Findbugs plugin for Maven. If you want to scan sub-packages by using the onlyAnalyze option, simply end your package declaration with .-. The manual says so.

Is findbugs-maven-plugin onlyAnalyze broken?

I cannot seem to get onlyAnalyze working for my multi-module project: regardless of what package (or pattern) I set, maven-findbugs-plugin either parses everything or nothing and it doesn’t evaluate sub-packages as I’d expect from passing it packagename.*.

To prove either myself or the plugin at fault (though I always assume it’s the former!), I setup a small Maven project with the following structure:


pom.xml
src/
main/java/acme/App.java
main/java/acme/moo/App.java
main/java/no_detect/App.java

which is very simple!

The POM has the following findbugs configuration:

    <build>
        <plugins>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>findbugs-maven-plugin</artifactId>
                <version>2.4.0</version>
                <executions>
                    <execution>
                        <phase>verify</phase>
                        <goals><goal>findbugs</goal><goal>check</goal></goals>
                    </execution>
                </executions>
                <configuration>
                    <debug>true</debug>
                    <effort>Max</effort>
                    <threshold>Low</threshold>
                    <onlyAnalyze>acme.*</onlyAnalyze>
                </configuration>
            </plugin>
        </plugins>
    </build>

and every App.java has the following code with two obvious violations:


package acme;
import java.io.Serializable;

public class App implements Serializable
{
private static final class NotSer {
private String meh = "meh";
}

private static final NotSer ns = new NotSer();// Violation: not serializable field

public static void main( String[] args )
{
ns.meh = "hehehe";// Vilation: unused
System.out.println( "Hello World!" );
}
}

Note that no_detect.App has the same content as above, but my expectation is that it wouldn’t be
evaluated by findbugs because I have the “onlyAnalyze” option set to acme.* which I assume would
evaluate acme.App and acme.moo.App and nothing else.

I now execute a mvn clean install to clean, build, test, run findbugs, package, install, which
produces the following findbugs report (snipped for brevity) and results in a build failure which is expected
because acme.App and acme.moo.App:


<BugInstance category='BAD_PRACTICE' type='SE_NO_SERIALVERSIONID' instanceOccurrenceMax='0'>
<ShortMessage>Class is Serializable, but doesn't define serialVersionUID</ShortMessage>
<LongMessage>acme.App is Serializable; consider declaring a serialVersionUID</LongMessage>
<Details>
<p> This field is never read.&nbsp; Consider removing it from the class.</p>
</Details>
<BugPattern category='BAD_PRACTICE' abbrev='SnVI' type='SE_NO_SERIALVERSIONID'><ShortDescription>Class is Serializable, but doesn't define serialVersionUID</ShortDescription><Details>
<BugCode abbrev='UrF'><Description>Unread field</Description></BugCode><BugCode abbrev='SnVI'><Description>Serializable class with no Version ID</Description></BugCode>

To summarise: only acme.App is analysed, acme.moo.App (bad) isn’t and neither is
no_detect.App (good).

I tried with two wildcards in the onlyAnalyze option but that produces a **successful build** but
with a findbugs error (Dangling meta character '*' etc).

I tried with onlyAnalyze set to acme.*,acme.moo.* which analyzes all the expected
classes (acme.App and acme.moo.App) which means it “works” but not as I expect; i.e. I have to explicitly declare all parent-packages for the classes I want to analyze: that could get large and difficult to maintain on a multi-module project!

Must. Keep. Trying.