Step 1 run the spotbugs check -> Step 2 run some custom script on the result of the check -> Step 3 publish to website only if step 2 is ok

[patpatpat123]

Hello team,

I would like to reach out with a question/issue if possible.

---

What I am trying to do:

We have a CI pipeline where spotbugs is a crucial part.

The pipeline has three steps.

Step 1 -> runs mvn clean install spotbugs:spotbugs

The goal of step 1 is to analyze the code and generate a report

---

Step 2 -> This step depends on step 1 (cannot happen without step 1)

Step 2 is a custom script that will parse this spotbugs report file.

We have some custom in-house parsing rules, parsing the spotbugs report. To keep the question light, I am going to omit the script.

If some bugs of interest are found, the script will start sending emails, page someone, etc.

If some bugs of interest are found. This step will terminate and kill the pipeline. (There is no need to proceed).

If no spotbugs issues of interest are found, or no spotbugs issues at all, we will go to step 3.

---

Step 3 -> This step only happens if steps 1 and 2 are good.

At this point, we publish a website via maven site using mvn -site

The spotbugs report in the website might be all clean (no issues at all), or contain some spotbugs issues that are not of interest (because if there were issues of interest, the previous step would catch it and we will not go to this step)

The caveat is that step 3 should not happen before step 2 (we do not wish to publish a website that can contain spotbugs issues of interest)

---

To achieve the above, we tried three different approaches:

Approach 1: configure spotbugs plugin in the maven build section only

Approach 2: configure spotbugs in the maven report section only

Approach 3: configure spotbugs in both the maven build and report section.

Below are the results for each approach:

---

Approach 1: configure spotbugs plugin in the maven build section only

   <build>
        <plugins>
            <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.9.3.0</version>
                <configuration>
                    <outputDirectory>target/reports/findbugs</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.21.0</version>
            </plugin>
        </plugins>
    </build>

    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>3.9.0</version>
            </plugin>
        </plugins>
    </reporting>

we run for step 1 : mvn package spotbugs:spotbugs
and for step 3: mvn site

Result 1:

we can see in the logs of step 1 (happy):

[INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question ---
[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis....

issue:

But for step 3, we do NOT see the report in the website

---

Approach 2: configure spotbugs in the maven report section only

   <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.21.0</version>
            </plugin>
        </plugins>
    </build>

    <reporting>
        <plugins>
             <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.9.3.0</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>3.9.0</version>
            </plugin>
        </plugins>
    </reporting>

Issue, this yield:

[ERROR] No plugin found for prefix 'spotbugs' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (/root/.m2/repository), central (https://repo.maven.apache.org/maven2)] -> [Help 1]

---

Approach 3: configure spotbugs in both the maven build and report section.

   <build>
        <plugins>
            <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.9.3.0</version>
                <configuration>
                    <outputDirectory>target/reports/findbugs</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.21.0</version>
            </plugin>
        </plugins>
    </build>

<reporting>
        <plugins>
             <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.9.3.0</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>3.9.0</version>
            </plugin>
        </plugins>
    </reporting>

Approach 3 WORKS!

Couple of observations however:

It seems there are a lot of duplications

Duplication 1: the plugin needs to be present in both sections
Duplication 2: it seems the scan is run twice, as we are seeing this logs

logs from Step 1:

[INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question ---
[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis....

logs from Step 3:

[INFO] Configuring report plugin spotbugs-maven-plugin:4.9.3.0
[INFO] Detected 1 report for spotbugs-maven-plugin:4.9.3.0: spotbugs

[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis....

[INFO] Generating "SpotBugs" report      --- spotbugs-maven-plugin:4.9.3.0:spotbugs

• Question:

What I am trying to achieve is this three-step process.
I do believe it is possible. And hopefully, you find the goal is fair enough.

May I ask if I did something wrong in either approach 1 or approach 2 as it is not working?

Is there a way to remove the duplication from approach three and yet still get the correct result?

Thank you for your time reading me (it was pobably a bit long, but I wanted to back my claims with data and facts).

Good day!

[hazendaz]

The issue you face is with how maven works not with the plugin. Report plugins must be defined first. Use plugin management for that then your #2 likely does what you want. Option #1 fails to generate site since you did not tell it to do so, report section is required. As to number 3, it has to do with execution phases you are relying on. If you want less runs, then you need to play around with phases and possibly profiles to achieve what you want. In every case this is basics of how maven works. For example if you used javadocs plugin in same way, you would have identical concerns. Hope that helps. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: patpatpat123 ***@***.***> Sent: Thursday, April 3, 2025 1:05:43 AM To: spotbugs/spotbugs-maven-plugin ***@***.***> Cc: Subscribed ***@***.***> Subject: [spotbugs/spotbugs-maven-plugin] Step 1 run the spotbugs check -> Step 2 run some custom script on the result of the check -> Step 3 publish to website only if step 2 is ok (Issue #1039) Hello team, I would like to reach out with a question/issue if possible.

________________________________ What I am trying to do: We have a CI pipeline where spotbugs is a crucial part. The pipeline has three steps. Step 1 -> runs mvn clean install spotbugs:spotbugs The goal of step 1 is to analyze the code and generate a report

________________________________ Step 2 -> This step depends on step 1 (cannot happen without step 1) Step 2 is a custom script that will parse this spotbugs report file. We have some custom in-house parsing rules, parsing the spotbugs report. To keep the question light, I am going to omit the script. If some bugs of interest are found, the script will start sending emails, page someone, etc. If some bugs of interest are found. This step will terminate and kill the pipeline. (There is no need to proceed). If no spotbugs issues of interest are found, or no spotbugs issues at all, we will go to step 3.

________________________________ Step 3 -> This step only happens if steps 1 and 2 are good. At this point, we publish a website via maven site using mvn -site The spotbugs report in the website might be all clean (no issues at all), or contain some spotbugs issues that are not of interest (because if there were issues of interest, the previous step would catch it and we will not go to this step) The caveat is that step 3 should not happen before step 2 (we do not wish to publish a website that can contain spotbugs issues of interest)

________________________________ To achieve the above, we tried three different approaches: Approach 1: configure spotbugs plugin in the maven build section only Approach 2: configure spotbugs in the maven report section only Approach 3: configure spotbugs in both the maven build and report section. Below are the results for each approach:

________________________________ Approach 1: configure spotbugs plugin in the maven build section only <build> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> <configuration> <outputDirectory>target/reports/findbugs</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> we run for step 1 : mvn package spotbugs:spotbugs and for step 3: mvn site Result 1: we can see in the logs of step 1 (happy): [INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question --- [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... issue: But for step 3, we do NOT see the report in the website

________________________________ Approach 2: configure spotbugs in the maven report section only <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> Issue, this yield: [ERROR] No plugin found for prefix 'spotbugs' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (/root/.m2/repository), central (https://repo.maven.apache.org/maven2)] -> [Help 1]

________________________________ Approach 3: configure spotbugs in both the maven build and report section. <build> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> <configuration> <outputDirectory>target/reports/findbugs</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> Approach 3 WORKS! Couple of observations however: It seems there are a lot of duplications Duplication 1: the plugin needs to be present in both sections Duplication 2: it seems the scan is run twice, as we are seeing this logs logs from Step 1: [INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question --- [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... logs from Step 3: [INFO] Configuring report plugin spotbugs-maven-plugin:4.9.3.0 [INFO] Detected 1 report for spotbugs-maven-plugin:4.9.3.0: spotbugs [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... [INFO] Generating "SpotBugs" report --- spotbugs-maven-plugin:4.9.3.0:spotbugs * Question: What I am trying to achieve is this three-step process. I do believe it is possible. And hopefully, you find the goal is fair enough. May I ask if I did something wrong in either approach 1 or approach 2 as it is not working? Is there a way to remove the duplication from approach three and yet still get the correct result? Thank you for your time reading me (it was pobably a bit long, but I wanted to back my claims with data and facts). Good day! — Reply to this email directly, view it on GitHub<#1039>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAHODIZYDI735PRKXDWEHML2XS6SPAVCNFSM6AAAAAB2LGJ22CVHI2DSMVQWIX3LMV43ASLTON2WKOZSHE3DQMZUGU3DGNQ>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> [patpatpat123]patpatpat123 created an issue (spotbugs/spotbugs-maven-plugin#1039)<#1039> Hello team, I would like to reach out with a question/issue if possible.

________________________________ What I am trying to do: We have a CI pipeline where spotbugs is a crucial part. The pipeline has three steps. Step 1 -> runs mvn clean install spotbugs:spotbugs The goal of step 1 is to analyze the code and generate a report

________________________________ Step 2 -> This step depends on step 1 (cannot happen without step 1) Step 2 is a custom script that will parse this spotbugs report file. We have some custom in-house parsing rules, parsing the spotbugs report. To keep the question light, I am going to omit the script. If some bugs of interest are found, the script will start sending emails, page someone, etc. If some bugs of interest are found. This step will terminate and kill the pipeline. (There is no need to proceed). If no spotbugs issues of interest are found, or no spotbugs issues at all, we will go to step 3.

________________________________ Step 3 -> This step only happens if steps 1 and 2 are good. At this point, we publish a website via maven site using mvn -site The spotbugs report in the website might be all clean (no issues at all), or contain some spotbugs issues that are not of interest (because if there were issues of interest, the previous step would catch it and we will not go to this step) The caveat is that step 3 should not happen before step 2 (we do not wish to publish a website that can contain spotbugs issues of interest)

________________________________ To achieve the above, we tried three different approaches: Approach 1: configure spotbugs plugin in the maven build section only Approach 2: configure spotbugs in the maven report section only Approach 3: configure spotbugs in both the maven build and report section. Below are the results for each approach:

________________________________ Approach 1: configure spotbugs plugin in the maven build section only <build> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> <configuration> <outputDirectory>target/reports/findbugs</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> we run for step 1 : mvn package spotbugs:spotbugs and for step 3: mvn site Result 1: we can see in the logs of step 1 (happy): [INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question --- [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... issue: But for step 3, we do NOT see the report in the website

________________________________ Approach 2: configure spotbugs in the maven report section only <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> Issue, this yield: [ERROR] No plugin found for prefix 'spotbugs' in the current project and in the plugin groups [org.apache.maven.plugins, org.codehaus.mojo] available from the repositories [local (/root/.m2/repository), central (https://repo.maven.apache.org/maven2)] -> [Help 1]

________________________________ Approach 3: configure spotbugs in both the maven build and report section. <build> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> <configuration> <outputDirectory>target/reports/findbugs</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.21.0</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.9.3.0</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.9.0</version> </plugin> </plugins> </reporting> Approach 3 WORKS! Couple of observations however: It seems there are a lot of duplications Duplication 1: the plugin needs to be present in both sections Duplication 2: it seems the scan is run twice, as we are seeing this logs logs from Step 1: [INFO] --- spotbugs:4.9.3.0:spotbugs (default-cli) @ question --- [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... logs from Step 3: [INFO] Configuring report plugin spotbugs-maven-plugin:4.9.3.0 [INFO] Detected 1 report for spotbugs-maven-plugin:4.9.3.0: spotbugs [INFO] Fork Value is true [INFO] Done SpotBugs Analysis.... [INFO] Generating "SpotBugs" report --- spotbugs-maven-plugin:4.9.3.0:spotbugs * Question: What I am trying to achieve is this three-step process. I do believe it is possible. And hopefully, you find the goal is fair enough. May I ask if I did something wrong in either approach 1 or approach 2 as it is not working? Is there a way to remove the duplication from approach three and yet still get the correct result? Thank you for your time reading me (it was pobably a bit long, but I wanted to back my claims with data and facts). Good day! — Reply to this email directly, view it on GitHub<#1039>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAHODIZYDI735PRKXDWEHML2XS6SPAVCNFSM6AAAAAB2LGJ22CVHI2DSMVQWIX3LMV43ASLTON2WKOZSHE3DQMZUGU3DGNQ>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[patpatpat123]

Hey @hazendaz ,

Thank you for taking some of your time to look into this.

Your explanation makes sense.
Especially the Javadoc part. I had a chance to verify by using the javadoc plugin, and indeed, it is the same as spotbugs for my three steps, you are correct.

With that said, I was trying to find some "technical counter-examples" and managed to find few already.
This is not to compare spotbugs to other plugins, just to illustrate what I am trying to achieve.
Taking other plugins, PMD, checkstyle and Pitest.

as an example (this is just an example) PITEST

At step 1, PITEST would result in something like this

[INFO] --- pitest:1.19.0:mutationCoverage 
>> Ran 81 tests (1.23 tests per mutation)

And this would generate a report (similar to the spotbugs report)

At step 2, we have another script which will parse the mutations failures, exactly the same as what we are trying to do with step 2 spotbugs.

At step 3, PITEST will NOT run again, we will see in the logs something like this:

[INFO] Configuring report plugin pitest-maven:1.19.0
[INFO] Detected 2 reports for pitest-maven:1.19.0: report, report-aggregate

And produces a website, same for check style, pmd.

However, for spotbugs, it seems that the duplication must be run?

If that is the case, could you please consider a feature request, something like PMD, checkstyle, pitest, where one step can run the analysis and generate a report. And on the site phase, even run later, if there is a report that exist, to simply just take it without having to rerun the nalaysis and put it inside the site?

[ryleighmikami]

Hello @hazendaz @patpatpat123 ,

I would like to achieve the same.

May I ask if there are any docs on how to do so?

[hazendaz]

I've been rewriting a lot of this stack and getting really familiar with what its doing exactly. The 'duplication' isn't duplication. Maven site runs its own lifecyle, it is not tied to the normal build that might execute spotbugs otherwise. So while it appears twice that is accurate in how maven works.

I'm not sure how pmd and others work. Someone with deeper knowledge there would need to write up a solution to this. I don't see it as a problem with the framework. Will leave this open but not seeing anything that immediately would help the use case.