grpc-java icon indicating copy to clipboard operation
grpc-java copied to clipboard
verified publisher icon grpc

spotbugs

Open dkwakkel opened this issue 2 weeks ago • 1 comments

Is it possible that you move to spotbugs? This because findbugs seems no longer maintained. (also e.g. if a security issue is found it will be fixed in spotbugs)

https://sourceforge.net/p/findbugs/bugs/1487/

dkwakkel avatar Dec 11 '25 14:12 dkwakkel

Hi, Thanks for pointing out. Would you be willing to raise a PR for the same ?

AgraVator avatar Dec 15 '25 06:12 AgraVator

We aren't really using findbugs. We're only using annotations in jsr305 from findbugs, which isn't part of spotbugs. Spotbugs does have its own copy (with different name) of some of the annotations, but not the ones we'd actually want to use.

I already cleaned up some of the jsr305 references in: https://github.com/grpc/grpc-java/commit/7b5d0692cc70c02ae644deb648410c7e82e7ea45 https://github.com/grpc/grpc-java/commit/70825adce6a3de06f1f93543a05a010b7c77c4aa

Nullable will need to change to JSpecify, although we're already seeing compatibility issues caused by JSpecify before we started migrating. We'll have to plan it out.

We'll need to carefully consider migrating the concurrent annotations to errorprone, as their semantics aren't necessarily identical. Anyone could take a stab at that, as long as they check for semantic differences first.

ejona86 avatar Dec 16 '25 22:12 ejona86