spotbugs-maven-plugin icon indicating copy to clipboard operation
spotbugs-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon spotbugs

Using findsecbugs plugin along with Maven plugin doesn't work when specifying maxRank

Open jacktwilliams opened this issue 5 years ago • 5 comments

Hello, the spotbugs-maven-plugin is working, but adding the FindSecBugs plugin is having no effect. Here is my pom file <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>3.1.12.2</version> <executions> <execution> <id>spotbugs</id> <phase>compile</phase> <goals> <goal>spotbugs</goal> </goals> <configuration> <maxRank>9</maxRank> <threshold>Low</threshold> <excludeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml</excludeFilterFile> <includeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-include.xml</includeFilterFile> <!-- find-sec-bugs plugin --> <!-- <plugins> <plugin> <groupId>com.h3xstream.findsecbugs</groupId> <artifactId>findsecbugs-plugin</artifactId> <version>LATEST</version> </plugin> </plugins> --> <pluginList>/home/jack/ProgramFiles/findsecbugs-plugin-1.9.0.jar</pluginList> </configuration> </execution> </executions> </plugin> The commented tree is another approach of adding the plugin I tried, to the same effect. Using both approaches, I have examined the debugging output which seems to show that the plugin is being added successfully. This is a multi-module project, and the findsecbugs.jar is being added to the target directories of each submodule.

Now, adding the findsecbugs plugin in Eclipse does result in 6 security bugs found (that aren't being found with Maven.) Here is the Eclipse plugin version: 4.0.0.201904010749-792e955

I have tried using no filter files. Eclipse and the Maven plugin are pointed to the exact same filter files that include everything, but exclude Internationalization and Experimental.

The only other interesting thing about Eclipse... Even with the filter files, I have to select these "Security" and "Malicious Code Vulnerability" checkboxes to see the additional bugs. eclipse_spotbugs_settings

Lastly, when I look in the GUI, it shows that there are no configured plugins. Maven version 3.6.0

Thank you.

jacktwilliams avatar Sep 16 '19 20:09 jacktwilliams

So, I tried this: mvn com.github.spotbugs:spotbugs-maven-plugin:spotbugs -Dplugin=com.h3xstream.findsecbugs:findsecbugs-plugin -DincludeFilterFile="../conf/StaticAnalysis/spotbugs-include.xml" -DexcludeFilterFile="../conf/StaticAnalysis/spotbugs-exclude.xml" And the findsecbugs plugin starts working. But if I add "-DmaxRank=9" then the plugin stops working.

jacktwilliams avatar Sep 16 '19 20:09 jacktwilliams

Doing this stripped down plugin specification with no executions <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>3.1.12.2</version> <configuration> <excludeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml</excludeFilterFile> <includeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-include.xml</includeFilterFile> <pluginList>/home/jack/ProgramFiles/findsecbugs-plugin-1.9.0.jar</pluginList> </configuration> </plugin> And then calling the plugin manually, I get the following output, that I don't get in the previous comment's attempt. [INFO] --- spotbugs-maven-plugin:3.1.12.2:spotbugs (default-cli) @ CoreTC --- [INFO] Fork Value is true [java] The following classes needed for analysis were missing: [java] accept [java] run [java] apply [java] Warnings generated: 54 [java] Missing classes: 3

jacktwilliams avatar Sep 16 '19 20:09 jacktwilliams

@jacktwilliams See the integration tests, there are examples of the plugin usage. I personally have used this for a long time and it works fine. Do make sure not to use 'LATEST' but an explicit version number as 'LATEST' is bad practice and deprecated from maven usage.

hazendaz avatar Sep 17 '19 00:09 hazendaz

Thanks for the tip about 'LATEST', I pulled that from the findsecbugs documentation. However, I found the bug that is unrelated.

This pom works to generate the findsecbugs errors, but adding 'maxRank' in the config breaks the findsecbugs functionality and no security bugs are found.

<plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>3.1.12</version> <executions> <execution> <id>spotbugs</id> <phase>compile</phase> <goals> <goal>spotbugs</goal> </goals> <configuration> <excludeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml</excludeFilterFile> <!-- find-sec-bugs plugin --> <plugins> <plugin> <groupId>com.h3xstream.findsecbugs</groupId> <artifactId>findsecbugs-plugin</artifactId> <version>1.9.0</version> </plugin> </plugins> </configuration> </execution> </executions> </plugin>

You can also use the CLI examples given above to see how adding maxRank breaks the findsecbugs plugin functionality.

jacktwilliams avatar Sep 17 '19 15:09 jacktwilliams

@hazendaz Oups. I did not know LATEST was deprecated. I will update the example to use open-ended version range. <version>[1.9.0)</version>

h3xstream avatar Sep 27 '19 15:09 h3xstream