Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable findbugs checked bug categories in Gradle build

I have been using the Findbugs plugin in eclipse and now want to move the functionality to my Gradle build script so that the build will fail if any serious bugs are detected. I would like to have the following bug catagories disabled:

  1. Experimental
  2. Security
  3. Internationalization
  4. Malicious code

The above is the default in the Eclipse plugin. However in Gradle, looking at the documentation I can only find a way to disable individual bug checks. This is however not feasible, looking at the source code, there are close to a 100 of these to go through and individually enable/disable.

Is there an easier way to disable the above mentioned catagories so that Findbugs called by Gradle behaves the same as the Eclipse plugin default config?

Edit: So far we have figured out that the "excludeFilter" option can be used to specify an XML file containing the bug checkers that should be excluded. A category to be excluded can then be specified in this file as follows:

<FindBugsFilter>
        <Match>
                <Bug category="EXPERIMENTAL"/>
        </Match> 
</FindBugsFilter>

The bug categories can be disabled by specifying the category attribute in the exclusion file:

  • Internationalization: I18N
  • Malicious code: MALICIOUS_CODE
  • Experimental: EXPERIMENTAL
  • Correctness: CORRECTNESS
  • Performance: PERFORMANCE
  • Code style: STYLE
  • Bad practice: BAD_PRACTICE

However these category attributes does not seem to be documented so I am not sure whether I found all of them. Will be editing this list as I find more.

like image 535
mdewit Avatar asked Jul 16 '15 13:07

mdewit


2 Answers

You are right, the list of FindBug categories seemes not to be entirely documented. Searching through the source package from https://sourceforge.net/projects/findbugs/files/findbugs/3.0.1/ you can find the BugCategory definitions in the default messages.xml.

I extracted the infomation and created a filter matching all the categories found in findbugs-3.0.1\etc\messages.xml :

<FindBugsFilter>
    <!-- Probable bug - an apparent coding mistake resulting in code that was 
        probably not what the developer intended. We strive for a low false positive 
        rate. -->
    <Match>
        <Bug category="CORRECTNESS" />
    </Match>

    <!-- Bogus random noise: intended to be useful as a control in data mining 
        experiments, not in finding actual bugs in software. -->
    <Match>
        <Bug category="NOISE" />
    </Match>

    <!-- A use of untrusted input in a way that could create a remotely exploitable 
        security vulnerability. -->
    <Match>
        <Bug category="SECURITY" />
    </Match>

    <!-- Violations of recommended and essential coding practice. Examples include 
        hash code and equals problems, cloneable idiom, dropped exceptions, Serializable 
        problems, and misuse of finalize. We strive to make this analysis accurate, 
        although some groups may not care about some of the bad practices. -->
    <Match>
        <Bug category="BAD_PRACTICE" />
    </Match>

    <!-- code that is confusing, anomalous, or written in a way that leads itself 
        to errors. Examples include dead local stores, switch fall through, unconfirmed 
        casts, and redundant null check of value known to be null. More false positives 
        accepted. In previous versions of FindBugs, this category was known as Style. -->
    <Match>
        <Bug category="STYLE" />
    </Match>

    <!-- code that is not necessarily incorrect but may be inefficient -->
    <Match>
        <Bug category="PERFORMANCE" />
    </Match>

    <!-- code that is vulnerable to attacks from untrusted code -->
    <Match>
        <Bug category="MALICIOUS_CODE" />
    </Match>

    <!-- code flaws having to do with threads, locks, and volatiles -->
    <Match>
        <Bug category="MT_CORRECTNESS" />
    </Match>

    <!-- code flaws having to do with internationalization and locale -->
    <Match>
        <Bug category="I18N" />
    </Match>

    <!-- Experimental and not fully vetted bug patterns -->
    <Match>
        <Bug category="EXPERIMENTAL" />
    </Match>

</FindBugsFilter>
like image 181
Selaron Avatar answered Oct 15 '22 13:10

Selaron


I haven't used FindBugs with gradle before but it sounds like the excludeFilter option takes a FindBugs XML file that you can use to filter out entire categories.

The FindBugs Filter manual

For more coarse-grained matching, use code attribute. It takes a comma-separated list of bug abbreviations. For most-coarse grained matching use category attriute, that takes a comma separated list of bug category names: CORRECTNESS, MT_CORRECTNESS, BAD_PRACTICICE, PERFORMANCE, STYLE.

If more than one of the attributes mentioned above are specified on the same element, all bug patterns that match either one of specified pattern names, or abreviations, or categories will be matched.

So I think you should be able to make an XML file like this:

<FindBugsFilter>

  <Match>

    <Bug pattern="EXPERIMENTAL"/>
  </Match>

  <Match>
     <Bug pattern="MALICIOUS_CODE" />
   </Match>
     ...etc
</FindBugsFilter>
like image 33
dkatzel Avatar answered Oct 15 '22 14:10

dkatzel