Fork me on GitHub

------

Usage version4.8.6.5-SNAPSHOT/version The following examples describe the basic usage of the SpotBugs plugin.

Generate SpotBugs Report As Part of the Project Reports

To generate the SpotBugs report as part of the Project Reports, add the SpotBugs plugin in the <reporting> section of your pom.xml.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Generate SpotBugs xdoc Report As Part of the Project Reports

To generate the SpotBugs xdoc report as part of the Project Reports, add the SpotBugs plugin in the <reporting> section of your pom.xml. This will be the same report as that of the Maven 1 SpotBugs report. It is also the format used by Hudson. The output file will be written as spotbugs.xml to either the default output directory of ${project.build.directory} or by that started in the <xmlOutputDirectory> option.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <xmlOutput>true</xmlOutput>
          <!-- Optional directory to put spotbugs xdoc xml report -->
          <xmlOutputDirectory>target/site</xmlOutputDirectory>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug filters to run

To filter the classes and methods which are analyzed or omitted from analysis you can use filters. The filters allow specifying by class and method which bug categories to include/exclude in/from the reports. The filter format specification also contains useful examples.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
          <includeFilterFile>spotbugs-include.xml</includeFilterFile>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug detectors to run

The visitors option specifies a comma-separated list of bug detectors which should be run. The bug detectors are specified by their class names, without any package qualification. By default, all detectors which are not disabled are run.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <visitors>FindDeadLocalStores,UnreadFields</visitors>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which bug detectors to skip

The omitVisitors option is like the visitors attribute, except it specifies detectors which will not be run.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <omitVisitors>FindDeadLocalStores,UnreadFields</omitVisitors>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Specifying which classes to analyze

The onlyAnalyze option restricts analysis to the given comma-separated list of classes and packages.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
         <onlyAnalyze>com.github.spotbugs.spotbugs.*</onlyAnalyze>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Using Third party or your own detectors

The pluginList option specifies a comma-separated list of optional BugDetector Jar files to add.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <pluginList>myDetectors.jar, yourDetectors.jar</pluginList>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Using Detectors from a Repository

The plugins option defines a collection of PluginArtifact to work on. (PluginArtifact contains groupId, artifactId, version, type.)

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <plugins>
            <plugin>
              <groupId>com.timgroup</groupId>
              <artifactId>spotbugs4jmock</artifactId>
              <version>0.2</version>
            </plugin>
          </plugins>
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the site plugin to generate the report.

mvn site

Launch the Spotbugs GUI

This will launch the SpotBugs GUI configured for this project and will open the spotbugsXml.xml file if present. It therefore assumes a pom.xml with the minimum as follows.

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  ...
  <reporting>
    <plugins>
      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.8.6.5-SNAPSHOT</version>
        <configuration>
          <!-- Optional directory to put spotbugs xml report -->
        </configuration>
      </plugin>
    </plugins>
  </reporting>
  ...
</project>

Then, execute the spotbugs plugin with the gui option.

mvn spotbugs:gui