Tag Archives: maven

There’s nothin’ wrong with the Findbugs Maven Plugin

I made a schoolboy error. I ventured down the road named “Thinking your tools are broken instead of your code”. I haven’t done that in years.

There’s nothing wrong with the Findbugs plugin for Maven. If you want to scan sub-packages by using the onlyAnalyze option, simply end your package declaration with .-. The manual says so.

Is findbugs-maven-plugin onlyAnalyze broken?

I cannot seem to get onlyAnalyze working for my multi-module project: regardless of what package (or pattern) I set, maven-findbugs-plugin either parses everything or nothing and it doesn’t evaluate sub-packages as I’d expect from passing it packagename.*.

To prove either myself or the plugin at fault (though I always assume it’s the former!), I setup a small Maven project with the following structure:


which is very simple!

The POM has the following findbugs configuration:


and every App.java has the following code with two obvious violations:

package acme;
import java.io.Serializable;

public class App implements Serializable
private static final class NotSer {
private String meh = "meh";

private static final NotSer ns = new NotSer();// Violation: not serializable field

public static void main( String[] args )
ns.meh = "hehehe";// Vilation: unused
System.out.println( "Hello World!" );

Note that no_detect.App has the same content as above, but my expectation is that it wouldn’t be
evaluated by findbugs because I have the “onlyAnalyze” option set to acme.* which I assume would
evaluate acme.App and acme.moo.App and nothing else.

I now execute a mvn clean install to clean, build, test, run findbugs, package, install, which
produces the following findbugs report (snipped for brevity) and results in a build failure which is expected
because acme.App and acme.moo.App:

<BugInstance category='BAD_PRACTICE' type='SE_NO_SERIALVERSIONID' instanceOccurrenceMax='0'>
<ShortMessage>Class is Serializable, but doesn't define serialVersionUID</ShortMessage>
<LongMessage>acme.App is Serializable; consider declaring a serialVersionUID</LongMessage>
<p> This field is never read.&nbsp; Consider removing it from the class.</p>
<BugPattern category='BAD_PRACTICE' abbrev='SnVI' type='SE_NO_SERIALVERSIONID'><ShortDescription>Class is Serializable, but doesn't define serialVersionUID</ShortDescription><Details>
<BugCode abbrev='UrF'><Description>Unread field</Description></BugCode><BugCode abbrev='SnVI'><Description>Serializable class with no Version ID</Description></BugCode>

To summarise: only acme.App is analysed, acme.moo.App (bad) isn’t and neither is
no_detect.App (good).

I tried with two wildcards in the onlyAnalyze option but that produces a **successful build** but
with a findbugs error (Dangling meta character '*' etc).

I tried with onlyAnalyze set to acme.*,acme.moo.* which analyzes all the expected
classes (acme.App and acme.moo.App) which means it “works” but not as I expect; i.e. I have to explicitly declare all parent-packages for the classes I want to analyze: that could get large and difficult to maintain on a multi-module project!

Must. Keep. Trying.

You wouldn’t build a palace with breeze blocks

I strongly believe that if you want to build awesome software, then every aspect of it needs to be as good as you want the final product to be.

It is often the case that aged software shops will have put in place aspects of their software that they’ll “revisit later on”, which then doesn’t happen.

It gets lost to the crowd of “more important things to do”.

One of the most common neglects I see is how a shop will build, deploy and distribute its software. At best their solution is amateur. It’s usually home-baked and rigged with esoteric and often superfluous tasks and features that are “necessary” due to some poor design decision made previously. The build system — be it continuous integration or some poor sod in the corner — has to do 30 different things, copy 11 thousand files, just to compile the few.

And so the problem persists; the rot festers; the software continues to be sub-par and so do the profit margins.

I feel that if you start from the ground-up, that you build consistently and efficiently then your software becomes such. If it is easy for a developer to build and deploy or distribute your software, it’s then easy for them to do their job. Any developer knows the pains they’ll go through day-to-day when making a change that requires a 15-minute rebuild and 5 minute deployment wait just to check the first name field doesn’t fall over on a null pointer.

With poor practice comes poor software comes poor profit.

So if you’re heading up a development shop and your developers are crying for a more efficient, simpler, consistent build process, then heed their recommendations and concerns. Let them spend the time and money streamlining how they work, because you’ll get reliability, efficiency and less coffee breaks if you do.

Would you pay for that shiny new tablet PC if it came packaged in A4 paper?

How disappointed do you feel with a product when you hold it and you “know” its build quality is poor.

Why is software any different?

You wouldn’t build a palace with breeze blocks.