Skip to content

spotbugs/spotbugs-maven-plugin

BranchesTags

Repository files navigation

Spotbugs Maven Plugin

Java CI Java Integration Tests Coverage Status Quality Gate Status Maven Central Reproducible Builds Apache 2

Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer.

Building spotbugs-maven-plugin Requirements

  • Java 17+ is required to build the spotbugs maven plugin. Usage allowed to currently supported jdks (ie 17, 21, 24, 25-ea).
  • Maven 3.9.11 is required to build the spotbugs maven plugin.

Running spotbugs-maven-plugin Requirements

  • Java 11 or better is required for spotbugs analysis.
  • Maven 3.6.3 or better is required for spotbugs analysis.

Usage

The SpotBugs documentation describes the pom.xml modifications and Maven goals.

The SpotBugs Maven documentation directly describes the pom.xml modifications and Maven goals along with project documentation.

Latest Snapshot

Please download latest snapshot.

Override Spotbugs Version

Spotbugs aligns with spotbugs releases but normally does not have a hard requirement on this, therefore you can override the spotbugs version as follows replacing the spotbugs plugin and spotbugs versions as you need.

    <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>${spotbugs-maven-plugin.version}</version>
        <dependencies>
            <dependency>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs</artifactId>
                <version>${spotbugs.version}</version>
            </dependency>
        </dependencies>
    </plugin>

Special notice

Continue to use FindBugsFilter when needed as the spotbugs project has not yet renamed that to reflect project.

Running Tests

Run all tests

mvn -DtestSrc=remote -Prun-its clean install -D"invoker.parallelThreads=8"

Skip tests

mvn -DskipTests=true clean install

Run tests on spotbugs test source code that is local instead of from SpotBugs github repository

mvn -DtestSrc=local -DlocalTestSrc=/opt/spotBugs -Prun-its clean install -D"invoker.parallelThreads=8"

Run selected tests

mvn -DtestSrc=remote -Prun-its -Dinvoker.test=build-*,basic-1,check-nofail clean install -D"invoker.parallelThreads=8"

Run tests in debugger

mvn -Dmaven.surefire.debug="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 -Xnoagent -Djava.compiler=NONE" -Prun-its clean install

Run selected tests in debugger

mvn -Dmaven.surefire.debug="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 -Xnoagent -Djava.compiler=NONE" -Prun-its -Dinvoker.test=build-*,basic-1,check clean install

Run gui with a specific version

mvn com.github.spotbugs:spotbugs-maven-plugin:${spotbugs.plugin}:gui

Creating new site examples

This product site contains a copy of an integration test result using spotbugs to show how it works. To update that, use the following instructions.

  • Execute mvn -DtestSrc=remote -Prun-its clean install -D"invoker.parallelThreads=8"
  • Then replace current src/site/resources/examples entirely with any working example 'site' folder (Currently uses target/it/basic-1/target/site and includes spotbugs.xml and spotbugsXml.xml from target/it/basic-1/target).
  • Commit results and submit a pull request to apply.

Contributing

Run integration tests

mvn clean install -P run-its -DtestSrc=remote

Groovy

This plugin is written entirely in Groovy. It does have limitations when it comes to Groovy in relation to java releases. Every attempt is made to ensure fast releases to pick up Groovy changes related to java.

Known issues

The security manager is turned off by default in jdk 18 and scheduled from removal in a future java release, therefore to use this plugin with jdk 18+, the security manager may need to be turned back on by setting JAVA_OPTS to -Djava.security.manager=allow. See groovy for more details.

If using Groovy with same group id (org.codehaus.groovy 3.x and before; or org.apache.groovy 4.x and above), an error may occur if not on same version. To alleviate that, make sure Groovy artifacts are defined in dependencyManagement to ensure the correct version is loaded.

Eclipse m2e Integration

The plugin cycles controlled by Eclipse require compilation phase for m2e without further help. This plugin runs verify only during site generation. Therefore Eclipse m2e will show up but not do anything with this plugin alone. In order to have proper execution within Eclipse m2e, use m2e-code-quality plugin for spotbugs.

Analysis Properties

Is there some way to set the Analysis Properties when using the maven plugin?

Analysis properties are passed as Java system properties, so they can be set in the <jvmArgs> in the <configuration> block of the plugin.

E.g. to set the findbugs.assertionmethods analyzer property:

<plugin>
    <groupId>com.github.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <configuration>
        <jvmArgs>-Dfindbugs.assertionmethods=org.apache.commons.lang3.Validate.notNull</jvmArgs>
    </configuration>
</plugin>

About

Maven Mojo Plug-In to generate reports based on the SpotBugs Analyzer

spotbugs.github.io/spotbugs-maven-plugin/

Topics

maven-plugin spotbugs spotbugs-plugin

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

92 stars

Watchers

5 watching

Forks

56 forks
Report repository

Releases 53

Spotbugs Maven Plugin 4.9.4.1 Latest
Sep 2, 2025
+ 52 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages