Maven Codehaus findbugs plugin "onlyAnalyze" option not working as expected

Question

Update for the impatient: it's simple, use package.- for sub-package scanning instead of package.*, as-per martoe's answer below!

I cannot seem to get onlyAnalyze working for my multi-module project: regardless of what package (or pattern) I set, maven-findbugs-plugin doesn't evaluate sub-packages as I'd expect from passing it packagename.*.

To prove either myself or the plugin at fault (though I always assume it's the former!), I setup a small Maven project with the following structure:

pom.xml
src/
    main/java/acme/App.java
    main/java/acme/moo/App.java
    main/java/no_detect/App.java

which is very simple!

The POM has the following findbugs configuration:

<build>
    <plugins>
        <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>findbugs-maven-plugin</artifactId>
            <version>2.4.0</version>
            <executions>
                <execution>
                    <phase>verify</phase>
                    <goals><goal>findbugs</goal><goal>check</goal></goals>
                </execution>
            </executions>
            <configuration>
                <debug>true</debug>
                <effort>Max</effort>
                <threshold>Low</threshold>
                <onlyAnalyze>acme.*</onlyAnalyze>
            </configuration>
        </plugin>
    </plugins>
</build>

and every App.java has the following code with two obvious violations:

package acme;
import java.io.Serializable;

public class App implements Serializable
{
    private static final class NotSer {
        private String meh = "meh";
    }

    private static final NotSer ns = new NotSer();// Violation: not serializable field

    public static void main( String[] args )
    {
        ns.meh = "hehehe";// Vilation: unused
        System.out.println( "Hello World!" );
    }
}

Note that no_detect.App has the same content as above, but my expectation is that it wouldn't be evaluated by findbugs because I have the "onlyAnalyze" option set to acme.* which I assume would evaluate acme.App and acme.moo.App and nothing else.

I now execute a mvn clean install to clean, build, test, run findbugs, package, install, which produces the following findbugs report (snipped for brevity) and results in a build failure which is expected because acme.App and acme.moo.App:

<BugInstance category='BAD_PRACTICE' type='SE_NO_SERIALVERSIONID' instanceOccurrenceMax='0'>
<ShortMessage>Class is Serializable, but doesn't define serialVersionUID</ShortMessage>
<LongMessage>acme.App is Serializable; consider declaring a serialVersionUID</LongMessage>
<Details>
  &lt;p&gt; This field is never read.&amp;nbsp; Consider removing it from the class.&lt;/p&gt;
</Details>
<BugPattern category='BAD_PRACTICE' abbrev='SnVI' type='SE_NO_SERIALVERSIONID'><ShortDescription>Class is Serializable, but doesn't define serialVersionUID</ShortDescription><Details>
<BugCode abbrev='UrF'><Description>Unread field</Description></BugCode><BugCode abbrev='SnVI'><Description>Serializable class with no Version ID</Description></BugCode>

To summarise: only acme.App is analysed, acme.moo.App isn't (bad) and neither is no_detect.App (good).

I tried with two wildcards in the onlyAnalyze option but that produces a successful build but with a findbugs error (Dangling meta character '*' etc).

I tried with onlyAnalyze set to acme.*,acme.moo.* which analyzes all the expected classes (acme.App and acme.moo.App) which means it "works" but not as I expect; i.e. I have to explicitly declare all parent-packages for the classes I want to analyze: that could get large and difficult to maintain on a multi-module project!

Do I have to define every package I want analyzed, or can I declare a wildcard/regex pattern that will do what I want?

I'd rather not use the inclusion/exclusion XML because that requires far more setup and reasoning that I don't currently have time for...

Answer 1

To cite the Findbugs manual: "Replace .* with .- to also analyze all subpackages"