findbugs

问题 I tried to run FindBugs in command line and had troubles when specifying the project to be analyzed. I understand FindBugs works on bytecode (.jar, .class), so I wrote a HelloWorld program and made sure that it had some messy code that would be detected by FindBugs. Then I tried: java -jar D:/findbugs-2.0.3/lib/findbugs.jar -project HelloWorld/bin which threw an exception: java.lang.IllegalArgumentException: Can't read project from HelloWorld/bin at edu.umd.cs.findbugs.Project.readProject

问题 In our project for chained if/else/if we would like to have following formatting: if (flag1) { // Do something 1 } else if (flag2) { // Do something 2 } else if (flag3) { // Do something 3 } And forbid following one: if (flag1) { // Do something 1 } else { if (flag2) { // Do something 2 } else { if (flag3) { // Do something 3 } } } Is there some predefined rule in either of listed above static code analysis tools to force this code style? If no - I know there is an ability to write custom

问题 I am using Gradle FindBugs Plugin. How can I print reported bugs to console? PMD plugin has a consoleOutput property. Is there a similar property for FindBugs? 回答1: As you can see here there's no such property or configuration possibility for FindBugs plugin. However it seems that the plugin can be customized in some way. E.g. by parsing and displaying the results. See here and here. 回答2: This is rudimentary ... but it's a start task checkFindBugsReport << { def xmlReport = findbugsMain

问题 Can anyone explain me why this throws a findbug warning: if (m != null && m.getModifiedDate() != null) content.put("ModifiedDate", m.getModifiedDate().getTime()); and this is working: if(m != null){ Date date = m.getModifiedDate(); if (date != null) content.put("ModifiedDate", date .getTime()); } Warning: Possible null pointer dereference due to return value of called method. Is there a possibilty to tell FindBugs that Example number 1 should not be a warning? 回答1: Possibly because m

问题 Is there a way to exclude Findbugs execution on classes under /src/test/java. I tried the following but it doesn't seem to work. classes = classes.filter { !it.path.contains("**classes\\test\\org*") } 回答1: Sure. The documentation of the Findbugs extension says: sourceSets : The source sets to be analyzed as part of the check and build tasks. And the example just above shows an example doing exactly what you want: apply plugin: "findbugs" findbugs { sourceSets = [sourceSets.main] } i.e. only

问题 I am working on a project that has a piece of code like the one below: String sql = "SELECT MAX(" + columnName + ") FROM " + tableName; PreparedStatement ps = connection.prepareStatement(sql); Is there any way that I can change this code so that FindBugs stop giving me a "Security - A prepared statement is generated from a nonconstant String" warning ? Please assume that this code is safe regarding SQL INJECTION since I can control elsewhere in the code the possible values for "tableName" and

问题 Has anyone managed to get findbugs 2.3.1, 2.3.2-SNAPSHOT or 2.4-SNAPSHOT to work with a Maven 3.x project? I always end up with: [ERROR] Failed to execute goal org.codehaus.mojo:findbugs-maven-plugin:2.4-SNAPSHOT:findbugs (default-cli) on project cular-db: An error has occurred in FindBugs Report report generation. Could not find matching constructor for: org.codehaus.mojo.findbugs.FindbugsReportGenerator(org.codehaus.doxia.module.xhtml.XhtmlSink, java.util.PropertyResourceBundle, java.io

问题 Does anybody know how to configure the maven findbugs plugin to output a summary of the bugs to the console (similar to the pmd plugin)? At present findbugs:check just prints out how many bugs there are in total and I need to check the individual modules target/findbugs directory and each findbugs.xml file to fix the issues. <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>findbugs-maven-plugin</artifactId> <version>2.0.1</version> <configuration> <xmlOutput>true</xmlOutput>

问题 I am currently using the sonarqube server 5.6 with scanner 2.6.1 and I keep getting errors during analysis for a java project. It appears to complain about some java files not compiled in the binaries folder (there aren't any at all in the binaries folder). Once I add the -X parameter I get more exceptions (flagged as ignored), see below. any clues? sonar-project.properties followed by logs sonar.projectKey=myproj sonar.projectName=myproj sonar.projectVersion=1.1 sonar.branch=1.1 sonar

问题 I am running findbugs on some code and it says the readObject(...) method must be private to be invoked for serialization/unserialization? Why? What is the problem if it is made public? 回答1: About readObject()/writeObject() being private, here's the deal: if your class Bar extends some class Foo; Foo also implements readObject()/writeObject() and Bar also implements readObject()/writeObject() . Now, when a Bar object is serialized or deserialized, JVM needs to call readObject()/writeObject()