This plugin requires the SonarJava Plugin, and uses SpotBugs, fb-contrib and Find Security Bugs to provide coding rules.

In the quality profile, activate some rules from Spotbugs, fb-contrib or Find Security Bugs rule repositories and run an analysis on your project.

This plugin can be configured with sonar web interface (see the General Settings/Languages/Java section) or with project properties.

Allow uncompiled code (sonar.findbugs.allowuncompiledcode): Remove the compiled code requirement for all projects. It can lead to a false sense of security if the build process skips certain projects. This option might be used to get around the One (sub)project contains Java source files that are not compiled error.

Confidence level (sonar.findbugs.confidenceLevel): Specifies the confidence threshold (previously called "priority") for reporting issues. If set to "low", confidence is not used to filter bugs. If set to "medium" (the default), low confidence issues are supressed. If set to "high", only high confidence bugs are reported.

Effort (sonar.findbugs.effort): Effort of the bug finders. Valid values are Min, Default and Max. Setting 'Max' increases precision but also increases memory consumption.

Excludes (sonar.findbugs.excludesFilters): Paths to findbugs filter-files with exclusions.

Timeout (sonar.findbugs.timeout): Specifies the amount of time, in milliseconds, that FindBugs may run before it is assumed to be hung and is terminated. The default is 600,000 milliseconds, which is ten minutes.

Only analyze (sonar.findbugs.onlyAnalyze): Restrict analysis to a comma-separated list of classes and packages. For large projects, this may greatly reduce the amount of time needed to run the analysis. (However, some detectors may produce inaccurate results if they aren’t run on the entire application.) Classes should be specified using their full classnames (including package), and packages should be specified in the same way they would in a Java import statement to import all classes in the package (i.e., add .* to the full name of the package). Replace .* with .- to also analyze all subpackages.

FindBugs requires the compiled classes to run, if the project has JSP files they will need to be precompiled.

Make sure that you compile your source code with debug information on (to get the line numbers in the Java bytecode). Debug is usually on by default unless you're compiling with Ant, in which case, you will need to turn it on explicitly. If the debug information is not available, the issues raised by FindBugs will be displayed at the beginning of the file because the correct line numbers were not available.

Since version 3.0, the plugin embed FindBugs 3.0.0 which supports analysis of Java 8 bytecode but requires Java 1.7 to run (see Compatibility section). Please find below the compatibility matrix of the plugin. Versions 4.0.3 and below are not compatible with SonarQube 9.