spotbugs / discuss Goto Github PK

SpotBugs mailing list

discuss's Introduction

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.

SpotBugs is licensed under the GNU LESSER GENERAL PUBLIC LICENSE.

More information at the official website. A lot of things can still be found at the old FindBugs website.

Build

SpotBugs is built using Gradle. The recommended way to obtain it is to simply run the gradlew (or gradlew.bat) wrapper, which will automatically download and run the correct version as needed (using the settings in gradle/wrapper/gradle-wrapper.properties).

Building SpotBugs requires JDK 21 to run all the tests (using SpotBugs requires JDK 8 or above).

To see a list of build options, run gradle tasks (or gradlew tasks). The build task will perform a full build and test.

To build the SpotBugs plugin for Eclipse, you'll need to create the file eclipsePlugin/local.properties, containing a property eclipseRoot.dir that points to an Eclipse installation's root directory (see .github/workflows/release.yml for an example), then run the build. To prepare Eclipse environment only, run ./gradlew eclipse. See also detailed steps.

Using SpotBugs

SpotBugs can be used standalone and through several integrations, including:

Questions?

You can contact us using GitHub Discussions.

discuss's People

Contributors

Stargazers

Watchers

Forkers

sampson17471

discuss's Issues

[maven-plugin] Did SpotBugs change the resolution of findbugs exclusion filters?

I'm using FindBugs in maven using a filter file that is provided by a jar file (see pom.xml). Seems that this approach does not work for SpotBugs. Is there anything changed when resolving the filter files in the maven-plugin? I get the following exception:

[ERROR] Could not find resource 'etc/findbugs-exclusion-filter.xml'. -> [Help 1]
org.codehaus.plexus.resource.loader.ResourceNotFoundException: Could not find resource 'etc/findbugs-exclusion-filter.xml'.
	at org.codehaus.plexus.resource.DefaultResourceManager.getResource(DefaultResourceManager.java:171)
	at org.codehaus.plexus.resource.DefaultResourceManager.getResourceAsInputStream(DefaultResourceManager.java:67)
	at org.codehaus.plexus.resource.ResourceManager$getResourceAsInputStream$1.call(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)

FYI: Quiet period after RC7

Hi all,

We plan to release RC7 shortly and I would like to propose an integration stop for a week, to have a chance to release 3.1.0 final on next weekend, if RC7 would be OK.

Please do not merge PR's except bugfixes for regressions reported against RC7.

THANKS!

Release 3.1.2 ?

Hi,

I suspect that the issue with @CanIgnoreReturnValue and Guava is troublesome for many users. Maybe it would be worth doing a maintenance release ?

PS. The Sonatype repository has snapshots for 4.0.0 (which is great), but not for 3.1.x versions.

Installed WIP app

This is just announcement: I've installed WIP app to all repositories in spotbugs organization. If it affects your hack, please let me know then I'll revert this change.

Missing document about how to implement plugin based on Detector2

Detector2 is the base interface to implement plugin based on bytecode-framework-neutral architecture, but it has no document even in legacy FindBugs user manual. And I don't know how to code with it (I just know CFG based analysis which is based on it).

Do you have experience to code with it? If so, please consider to send PR to docs/implement-plugin.rst to update official user manual about implementing plugin.

Google Analytics for SpotBugs manual site

I've set up Google Analytics for SpotBugs manual site.
If you want to see result, please let me know your email address then I will invite you.

Run Spotbugs in Debug mode in Eclipse

I want to know how can I import spotbugs project in eclipse and run it in debug mode?

"release-3.1" branch as default for incoming PR's

I see that we have some PR's appearing, this is really good!
However, all of those PR's are (by default) created for "master" branch which is targeting 4.0 release.

Most of the PR's coming with a smaller fixes, most of those fixes are perfectly working on 3.1 code, and most of the users want see them in a final 3.1.x release soon.

I don't see 4.0 to be released soon, so it makes more sense people who want to contribute will by default use the "right" branch, which is release-3.1.

I'm going to make release-3.1 branch default now, but if someone has any objections - please speak up.

Export Spotbugs setup from Eclipse

Is it possible to export a spotbug configuration

to an xml-file which you can use for maven, like described here?

If yes, how can you do this?

Travis CI failure: 3.1.6 SNAPSHOT is not published

I am reviewing https://travis-ci.org/spotbugs/spotbugs/builds/396638921 which seems to be the latest build job publishing snapshots for 3.1. The build was not able to publish and upload snapshots due to some connectivity issue. Could this job be restarted?

3.1.6 SNAPSHOT seems to have updated asm versions to 6.2 which may allow support for JDK 11. (Experimenting with this build/version over at https://github.com/apereo/cas)

PS It would also be very good if the milestones could be updated to indicate the release schedule and tentative dates for 3.1.6 and beyond.

InterProcedural Data Flow analysis for lambdas. is it possible in spotbugs?

I want to check if a specific method is called from a class constructor. Call List analysis does not seem to do that. Any other dataflow analysis I can refer to

Trying to introduce travis-ci.com with GitHub App

I'm now trying to introduce https://travis-ci.com/spotbugs/spotbugs instead of travis-ci.org.

reference:

False Positive

This may relate to the following:

OBL_UNSATISFIED_OBLIGATION
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE
ODR_OPEN_DATABASE_RESOURCE
OS_OPEN_STREAM

We have code that looks like:

    public void thing1() {
        try {
            PreparedStatement stmt = conn.prepareStatement("SELECT * FROM ? LIMIT 1");
            stmt.setString(1, "TABLE");
            stmt.executeUpdate();
        } catch (SQLException e) {
            logger.error(e.getLocalizedMessage());
        } finally {
            DbUtils.closeQuietly(stmt);
        }
    }

This clearly closes the statement. SpotBugs throws an error OBL_UNSATISFIED_OBLIGATION and seems to want me to close the connection, and the statement in a series of nested try..finally blocks.

exit code from ant task when missing classes?

I'm migrating our ant build from findbugs to spotbugs and there's a change that is confusing me. We exclude a lot of classes from the analysis and have always gotten a list of "missing classes", but findbugs-ant has never considered this en error. Running spotbugs-ant gives me this output

[spotbugs] Missing classes: 140
[spotbugs] Calculating exit code...
[spotbugs] Setting 'missing class' flag (2)
[spotbugs] Exit code set to: 2
[spotbugs] Java Result: 2
[spotbugs] Classes needed for analysis were missing

The build is not failing, but even when I run with -q, I get a stderr printout "Java Result: 2", which is quite confusing when it's not an actual error

Running the same analysis directly using the spotbugs jar and not the ant build seems to have exit code 0, and that seems inconsistent with the above.

What's the reason for having this as an stderr printout in the and build?

Execute spotbugs during build instead of site generation?

Hello! I would like to know if there is a way to make spotbugs execute during the build as well as during site generation? Right now, when I run "mvn site" a report generates just fine. However, when I run "mvn clean site" the report disappears (the rest of my reports remain, however). In order to get the Spotbugs report back, I have to run "mvn test" then "mvn site" again. Is there a way around this, and if not, do you mind explaining why this happens? I am new to maven, using maven 3.3 and spotbugs 3.1.3!

Google Code of Summer

maybe SpotBugs can apply for it

[question/idea] Reusing analysis information in multi-module project

I have a fairly large project where the whole analysis can take several minutes. The project is split into Maven modules (some small, some large). Currently, the analysis is triggered separately for each project (that's how the gradle plugin works as well, AFAIK) with the classes for that project as "classes" and all it's dependencies as "auxclasspath".

I didn't do any benchmarks yet, but my intuition tells me that at least some of the effort is repeated. I'm not also sure if this is the correct way to do it, i.e. would analyzing all the projects in one go yield more accurate results then one by one ?

Another common case is that running the analysis with the same set of dependecies (you don't upgrade your libraries every day).

In both cases, I think it would be possible to reuse some of the data gathered in previous analysis as long as the "auxclasspath" did not change.

Do you think it's an idea worth exploring?

Questions about Dataflow

We're looking to perform highly accurate inter-procedural data-flow analysis in Spotbugs. After crawling code, it appears that the current API and interfaces provided are not designed for this. So we would like to extend the functionality of spotbugs with these features. I have a couple questions before we get too far along:

Did I miss something obvious and should go back and re-examine the DataflowAnalysis* APIs to shim this functionality in?
We're currently developing as a stand-alone plug-in. Would there be interest in incorporating a final product into spotbugs itself? If so, do you have guidelines for submissions?
This plugin is motivated by the desire to perform general-purpose inter-procedural taint analysis with high precision. Would there be interest in that as well, or should we discuss with find-sec-bugs?

Question about maven plugin version

Hi,

I wondered that on Maven central the spotbugs-maven-plugin artifact is still on 3.1.0-RC6. Is this going to change to 3.1.0 or is RC6 equal to the final version?

License of SpotBugs logos

I found that we have no page which describes license of SpotBugs logos.
License will help community to spread SpotBugs, so let's decide license and make a page to announce it.

I think that CC BY-SA 4.0 is suitable, how do you think?

logos:

refs:

Best way to add detection of a specific bug to spotbugs?

As part of my internship, my job is to make spotbugs capable of detecting a specific bug pattern my tutor has found, what would be the best way to go about it?

I've thought of building my own extension like fb-contrib, but I would first like to know if there is another way.

anonymous inner classes aren't recognized in exclude list

I'm converting from FindBugs to SpotBugs. I have an exclude list with this entry:

    <Match>
        <Or>
            <Class name="com.sun.mail.imap.DefaultFolder$1"/>
            <Class name="com.sun.mail.imap.DefaultFolder$2"/>
            <Class name="com.sun.mail.imap.IMAPFolder$1"/>
            <Class name="com.sun.mail.imap.IMAPFolder$4"/>
            <Class name="com.sun.mail.imap.IMAPFolder$7"/>
            <Class name="com.sun.mail.imap.IMAPFolder$13"/>
            <Class name="com.sun.mail.imap.IMAPFolder$20"/>
            <Class name="com.sun.mail.imap.IdleManager$2"/>
        </Or>
        <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
    </Match>

FindBugs ignores these errors. SpotBugs does not.

Changing the entry to use a regular expression instead of an exact class name does work.

(I'm calling FindBugs/SpotBugs from Maven, if that matters.)

A list of unmaintained/unmaintainable cruft

Looking at the spotbugs repository, there’s a lot of files in there that I would wager none of the current maintainers can maintain or want to.

I think we should compile a list of these files here along with the reason why we think they can be removed.

Here’s a start:

findbugs.keystore: The certificate expired 24 April 2014 and AFAIK we don’t even have the keystore’s password.
jnlp: I doubt that anyone uses these. There used to be a way of using Java Webstart for a demo, but I don’t think we offer something similar at the moment.

What else?

Plugin For BlueJ IDE

Hello all,

I am working with a team of students and we want to bring SpotBugs as a plugin to BlueJ. In order to do this the plugin must be contained in a single Jar file. Is this currently possible with the current version of SpotBugs?

Aaron C. Loomis

Maven central stats

I will use this thread to share stats from SonaType Nexus.
It seems that SpotBugs is not actively used, let's ask community to have a try with SpotBugs.

SpotBugs stats (~2017/July)

For reference, download for FindBugs is more than 120k/mo.

Spotbugs Eclipse Plugin

Is there any documentation for getting the eclipse plugin set up for development? I want to try my hand at enhancing the plugin a bit but am not sure how to get started so the code is all compiled and working in Eclipse. There may be a document out there already; I just didn't find anything.

Thanks.

Release 3.1.3?

Taking a look at the current diff (spotbugs/spotbugs@3.1.2...release-3.1) it looks like if a release is pushed, spotbugs will gain partial java 10 support from spotbugs/spotbugs@c2ef728. Is this true? How do the maintainers feel about pushing a release?

How can I run SpotBugs using Java?

I was working on injecting of groovy scripts dynamically in Java. So before executing those scripts, I want to get sure of that they do not have potential bugs using SpotBugs.
Here is the Psuedo-Code:

Here it should return the infinite loop bug.

String script = "class Hello { static void main(String []args) { def i = 0; while ( i <= 0) { i = i - 1; } } } ";
List<Bugs> bugs = SpotBugs.getBugs(script);
if (bugs == null) {
    execute(script);
}

So how to do the SpotBugs.getBugs(script) using java, the input script will not be hard-coded as in above example, but will be dynamically fetched.

FYI: Kengo will hold a tech session regarding SpotBugs at Japan Java User Group

TO whom it may concern,

At this May/26 Japan Java User Group will hold an event, JJUG CCC 2018 Spring, and I will hold a short session about current SpotBugs project. I haven't made its content yet, but I want to talk about current product structure or technical dept in SpotBugs. Talk itself will be held in Japanese.

Note that I held a session regarding static analysis tools (including SpotBugs) for ERP development at last year at JJUG CCC 2017 Spring. It was supported by my employer, but this coming session will be my personal one.

Permissions for Sonar cloud / sonar-findbugs-plugin

I need permissions to mark issue to False Positive on the Sonar instance.
https://sonarcloud.io/dashboard?id=com.github.spotbugs%3Asonar-findbugs-plugin

The plugin can't be release without this requirement.

RoadMap

A roadmap for spotbugs should be posted to allow users, plugin developers, detector developers, and others to see where we are heading.
This will be useful for Findbugs users looking to plan and change to Spotbugs.
In my time on working with the Maven and ANT plugins I noticed some items I believe we need to keep in sight going forward to keep our current users and attract new users.

The configuration of a Findbugs job varies depending on the interface (i.e.command line, ANT, or eclipse, intellij, or maven) used. This can lead to differing outputs a developer may see in their IDE and what a build server presents running maven, gradle, ant or sbt.
I have tried to follow the the command line set up since looked like the common mechanism used but the creator and the course at UMD ( University of Maryland). This had its short-comings, as the documentation to that has been incomplete.
As a useful tool for continuity between sub-projects and migration from findbugs the main project should have classess and interfaces for conversion between include/exclude config files for spotbugs. This will make it easier for IDE to be configured to match build setups.

XSL scripts to transform out xml into html

In findbugs there used to be a feature to also generate html reports.
Is this still possible?
Where are the xsl file for the transformation hosted?
I would love to be able to visualize the xml reports somehow.

Code source display problem

Hello everyone,

I have a problem, when I run an analysis on an .war or source code, I get results but without the source code display.

I use findsecbug plugin .

Thanks for the future answers:)

Create for ISSUE_TEMPLATE.md spotbugs project(s)

Many open-source projects encourage their users to ask questions on StackOverflow instead of Github issues.

SpotBugs projects could link to StackOverflow with the appropriate tags: https://stackoverflow.com/questions/ask?tags=spotbugs,java

I just created an ISSUE_TEMPLATE.md file for the find-sec-bugs:
https://github.com/find-sec-bugs/find-sec-bugs/issues/new

FYI: SpotBugs will undergo IP check at Eclipse Foundation

I am writing this with both my Eclipse and SpotBugs committer hats on: We at Eclipse Code Recommenders are currently considering building a set of SpotBugs detectors based on machine-learning (just like Code Recommenders is ML-based code-completion).

To that end, we need to initiate a so-called IP check of the SpotBugs codebase during which its provenance will be checked by the Eclipse legal team. Also, there is the issue of LGPL/EPL compatibility.

If you are interested, you can follow the discussion with the legal team in CQs 14164 and 14163 (Eclipse committer login required), but I will report any findings here.

Sportbugs as plugin for Jenkins pipeline

I want to use spotbugs in jenkins Pipeline, but I cannot find the plugin for it as it is for findbugs.
And how can I use spotbugs as a standalone tool?

How do i run findbugs on specific package ignore other packages in eclipse

My project having multiple packages but i need to run findbugs on only specific package ignore other packages in eclipse.Thank You in advance.

Example :

Suppose in my java project having two packages like org.test.imf.* , org.link.iag., org.build.creta. But we need to run findbugs on specific package like org.test.imf.* not require for other packages. please explain how to use filter the packages based on include and exclude filter options in eclipse findbugs plugin options.

spotbugs-maven-plugin 3.1.0 final release?

(Is there really no actual mailing list? Am I supposed to create a new issue instead of sending email?)

When is a final 3.1.0 release of the spotbugs-maven-plugin expected?

Not logged exception

Dear Spotbugs Team,

in our code we would like to spot issues like these:

  try{
      ...
  } catch (AnyException e){
     // doing nothing, no rethrow, no logging ...
  }

Or
2.

  try{
  ...
  } catch (SomeThirdPartyException e){
     // no logging, and original exception not passed to MyCustomException
     throw new MyCustomException("some bad description")
  }

Does Spotbugs detect such issues? Reading through the bug pattern list I thought DE_MIGHT_DROP or DE_MIGHT_IGNORE would detect case 1., but somehow it did not.

So my questions:

can cases 1. and 2. be detected by SoptBugs? Which patterns should do that?
can you tell from the vague setup description I gave below what am I missing? Please let me know if you need more details.

Thank you very much for your help in advance,
Gergely

Our setup:

java 10
we use the gradle plugin

    apply plugin: 'com.github.spotbugs'
    spotbugs {
      toolVersion = "3.1.5"
      excludeFilter = file("$rootProject.projectDir/config/spotbugs/excludeFilter.xml")
      effort = "min"  // tried also max
  }
    tasks.withType(com.github.spotbugs.SpotBugsTask) {
      reports {
        xml.enabled false
        html.enabled true
      }
    }

No includeFilter was used.

Content of excludeFilter.xml ():

  <FindBugsFilter>
     <Match>
        <Bug pattern="DM_DEFAULT_ENCODING" />
    </Match>
    <Match>
        <Bug pattern="EI_EXPOSE_REP" />
    </Match>
    <Match>
        <Bug pattern="EI_EXPOSE_REP2" />
    </Match>
    <Match>
        <Bug pattern="UC_USELESS_VOID_METHOD" />
    </Match>
    <Match>
        <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT" />
    </Match>
    <Match>
        <!-- False positive: https://github.com/spotbugs/spotbugs/issues/432 -->
        <Bug pattern="OBL_UNSATISFIED_OBLIGATION" />
    </Match>
    <Match>
        <Class name="~.*MapperImpl$"/>
    </Match>
    <Match>
        <Class name="<DELETED>"/>
    </Match>
</FindBugsFilter>

Please let me know if you need further details

How to pass user-configurable options to a detector?

This issue is meant to discuss best practices for how to pass additional, user-configurable options to a detector. As far as I can see, there are three alternatives to do so:

Pass the option in as a system property (-jvmArgs -Dkey=value command line option)
Pass the option in as a key/value pair in the user preferences file (-userPrefs command line option)
Pass a (pre-defined) key/value pair in through activation/deactivation of a special plug-in with <GlobalOption> (-choosePlugins command line option)

The preferred alternative should offer a straight-forward way to access the value in the detector:

The canonical way to access them seems to be SystemProperties.getProperty(String)
I haven’t found a way to get at a UserPreferences object from within a Detector
I haven’t found a way (spotbugs/spotbugs@dbdd6c5 removed DetectorCollectionFactory.getGlobalOption)

Moreover, the preferred alternative should not only work when SpotBugs is invoked from the command line, but should also be settable from within Eclipse, e.g., through a preference page.

Seems trivial, but is surprisingly tricky, as the system property needs to be set on every restart. (Just because the SpotBugs Eclipse plug-in uses the findbugsPlugins extension point to load a SpotBugs plugin doesn’t mean that the surrounding Eclipse plug-in wrapper’s Activator is run; so you can’t set the system property anew on demand when the wrapper is activated.)
Can be achieved through FindbugsPlugin.getUserPreferences(...) and saveUserPreferences(...) called from the preference page or even (per-project) from the project’s Properties page
Activation/Deactivation can be done in the Java > SpotBugs > Plugins and misc. Settings preferences. (This is limited to boolean options, of course.)

Am I missing any other alternatives? How can alternatives 2 and 3 above access the configured value in the detector? And which alternative should in your opinion be considered a best practice?

Moving sonar-findbugs

I recently asked admin permission for https://github.com/h3xstream/sonar-findbugs.
The sonar team transfer me the repository ownership. It used to be a project maintain by SonarSource team.

I was thinking about moving it under the organisation spotbugs.

Note : SonarQube provide a free community platform to use SpotBugs. It also provide commercial support and services.

Btw, I will soon do a proper release of the plugin.

RFC: Which blog service you're watching?

I'm personally going to post SpotBugs related blog articles, and searching good service that is famous even for Java/JVM developers. Current options:

https://dev.to/ - Smaller but active, and famous for server-side engineers I believe
https://medium.com/ - Really famous and active, but inaccessible from inside of GFW
https://boostlog.io/ - Small and less Java related posts

If you have more suggestions, please let me know. Thanks!

Migrate sonar-findbugs to com.github.spotbugs groupId

Now sonar-findbugs is not maintained by SonarSource, and nobody deploy its artifact to Maven central.
Then we can change its groupId to com.github.spotbugs from version 3.7 and deploy to maven central by us.

In my understanding, we do not need to migrate their Git repo to our organization, but it should be better to rename its name and artifactId to sonar-spotbugs.

refs: spotbugs/sonar-findbugs#135

Gradle plugin 1.3 initialization error in multimodule build (SpotBugsTask.setSource(Lorg/gradle/api/file/FileTree;))

Hello.

I have multimodule project. In the beginning of build.gradle I have the following:

buildscript {
    repositories {
        mavenCentral()
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "gradle.plugin.com.github.spotbugs:gradlePlugin:1.2"
    }
}

Some time after I have subprojects configuration:

configure(subprojects.findAll {it.path.matches(serviceImplPattern)}){
...
spotbugs {
        ignoreFailures = false
        sourceSets = [sourceSets.main]
        if (skipStaticAnalysis()) {
            sourceSets = []
        }
        effort = "max"
        reportLevel = "high"
    }
tasks.withType(com.github.spotbugs.SpotBugsTask) {
        reports {
            xml.enabled = false
            html.enabled = true
        }
    }
...
}

If I change spotbugs:gradlePlugin version to 1.3, I get the following message:

A problem occurred evaluating root project 'hcspafo'.
> com.github.spotbugs.SpotBugsTask.setSource(Lorg/gradle/api/file/FileTree;)V

...

 Exception is:
org.gradle.api.GradleScriptException: A problem occurred evaluating root project 'hcspafo'.
        at org.gradle.groovy.scripts.internal.DefaultScriptRunnerFactory$ScriptRunnerImpl.run(DefaultScriptRunnerFactory.java:92)
        at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl$2.run(DefaultScriptPluginFactory.java:176)
        at org.gradle.configuration.ProjectScriptTarget.addConfiguration(ProjectScriptTarget.java:77)
        at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl.apply(DefaultScriptPluginFactory.java:181)
        at org.gradle.configuration.project.BuildScriptProcessor.execute(BuildScriptProcessor.java:39)
        at org.gradle.configuration.project.BuildScriptProcessor.execute(BuildScriptProcessor.java:26)
        at org.gradle.configuration.project.ConfigureActionsProjectEvaluator.evaluate(ConfigureActionsProjectEvaluator.java:34)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.doConfigure(LifecycleProjectEvaluator.java:70)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.access$000(LifecycleProjectEvaluator.java:33)
        at org.gradle.configuration.project.LifecycleProjectEvaluator$1.execute(LifecycleProjectEvaluator.java:53)
        at org.gradle.configuration.project.LifecycleProjectEvaluator$1.execute(LifecycleProjectEvaluator.java:50)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:61)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.evaluate(LifecycleProjectEvaluator.java:50)
        at org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:599)
        at org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:125)
        at org.gradle.execution.TaskPathProjectEvaluator.configure(TaskPathProjectEvaluator.java:35)
        at org.gradle.execution.TaskPathProjectEvaluator.configureHierarchy(TaskPathProjectEvaluator.java:60)
        at org.gradle.configuration.DefaultBuildConfigurer.configure(DefaultBuildConfigurer.java:38)
        at org.gradle.initialization.DefaultGradleLauncher$ConfigureBuildAction.execute(DefaultGradleLauncher.java:233)
        at org.gradle.initialization.DefaultGradleLauncher$ConfigureBuildAction.execute(DefaultGradleLauncher.java:230)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:56)
        at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:160)
        at org.gradle.initialization.DefaultGradleLauncher.doBuild(DefaultGradleLauncher.java:119)
        at org.gradle.initialization.DefaultGradleLauncher.run(DefaultGradleLauncher.java:102)
        at org.gradle.launcher.exec.GradleBuildController.run(GradleBuildController.java:71)
        at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:28)
        at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:41)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:26)
        at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:75)
        at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:49)
        at org.gradle.tooling.internal.provider.ServicesSetupBuildActionExecuter.execute(ServicesSetupBuildActionExecuter.java:49)
        at org.gradle.tooling.internal.provider.ServicesSetupBuildActionExecuter.execute(ServicesSetupBuildActionExecuter.java:31)
        at org.gradle.launcher.daemon.server.exec.ExecuteBuild.doBuild(ExecuteBuild.java:67)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.WatchForDisconnection.execute(WatchForDisconnection.java:47)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.ResetDeprecationLogger.execute(ResetDeprecationLogger.java:26)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.RequestStopIfSingleUsedDaemon.execute(RequestStopIfSingleUsedDaemon.java:34)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.call(ForwardClientInput.java:74)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.call(ForwardClientInput.java:72)
        at org.gradle.util.Swapper.swap(Swapper.java:38)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput.execute(ForwardClientInput.java:72)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.LogAndCheckHealth.execute(LogAndCheckHealth.java:55)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.LogToClient.doBuild(LogToClient.java:60)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.EstablishBuildEnvironment.doBuild(EstablishBuildEnvironment.java:72)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.StartBuildOrRespondWithBusy$1.run(StartBuildOrRespondWithBusy.java:50)
        at org.gradle.launcher.daemon.server.DaemonStateCoordinator$1.run(DaemonStateCoordinator.java:297)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
        at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:46)
Caused by: java.lang.NoSuchMethodError: com.github.spotbugs.SpotBugsTask.setSource(Lorg/gradle/api/file/FileTree;)V
        at com.github.spotbugs.SpotBugsPlugin.configureForSourceSet(SpotBugsPlugin.java:189)
        at com.github.spotbugs.SpotBugsPlugin.configureForSourceSet(SpotBugsPlugin.java:41)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin$5.execute(AbstractCodeQualityPlugin.java:170)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin$5.execute(AbstractCodeQualityPlugin.java:166)
        at org.gradle.api.internal.DefaultDomainObjectCollection.all(DefaultDomainObjectCollection.java:135)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.configureForSourceSets(AbstractCodeQualityPlugin.java:166)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.access$000(AbstractCodeQualityPlugin.java:42)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin$4.execute(AbstractCodeQualityPlugin.java:160)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin$4.execute(AbstractCodeQualityPlugin.java:157)
        at org.gradle.internal.Actions$FilteredAction.execute(Actions.java:205)
        at org.gradle.api.internal.DefaultDomainObjectCollection.all(DefaultDomainObjectCollection.java:135)
        at org.gradle.api.internal.DefaultDomainObjectCollection.withType(DefaultDomainObjectCollection.java:158)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.withBasePlugin(AbstractCodeQualityPlugin.java:203)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.configureSourceSetRule(AbstractCodeQualityPlugin.java:157)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.apply(AbstractCodeQualityPlugin.java:61)
        at org.gradle.api.plugins.quality.internal.AbstractCodeQualityPlugin.apply(AbstractCodeQualityPlugin.java:42)
        at org.gradle.api.internal.plugins.ImperativeOnlyPluginApplicator.applyImperative(ImperativeOnlyPluginApplicator.java:35)
        at org.gradle.api.internal.plugins.RuleBasedPluginApplicator.applyImperative(RuleBasedPluginApplicator.java:43)
        at org.gradle.api.internal.plugins.DefaultPluginManager.doApply(DefaultPluginManager.java:139)
        at org.gradle.api.internal.plugins.DefaultPluginManager.apply(DefaultPluginManager.java:112)
        at org.gradle.api.internal.plugins.DefaultObjectConfigurationAction.applyType(DefaultObjectConfigurationAction.java:113)
        at org.gradle.api.internal.plugins.DefaultObjectConfigurationAction.access$200(DefaultObjectConfigurationAction.java:36)
        at org.gradle.api.internal.plugins.DefaultObjectConfigurationAction$3.run(DefaultObjectConfigurationAction.java:80)
        at org.gradle.api.internal.plugins.DefaultObjectConfigurationAction.execute(DefaultObjectConfigurationAction.java:136)
        at org.gradle.api.internal.project.AbstractPluginAware.apply(AbstractPluginAware.java:44)
        at org.gradle.internal.metaobject.BeanDynamicObject$MetaClassAdapter.invokeMethod(BeanDynamicObject.java:464)
        at org.gradle.internal.metaobject.BeanDynamicObject.invokeMethod(BeanDynamicObject.java:176)
        at org.gradle.internal.metaobject.CompositeDynamicObject.invokeMethod(CompositeDynamicObject.java:96)
        at org.gradle.internal.metaobject.MixInClosurePropertiesAsMethodsDynamicObject.invokeMethod(MixInClosurePropertiesAsMethodsDynamicObject.java:30)
        at org.gradle.internal.metaobject.ConfigureDelegate.invokeMethod(ConfigureDelegate.java:59)
        at build_72fnjt7y4wwfjb0dztk1iandm$_run_closure10.doCall(C:\projects\hcspafo\build.gradle:195)
        at org.gradle.api.internal.ClosureBackedAction.execute(ClosureBackedAction.java:70)
        at org.gradle.util.ConfigureUtil.configureTarget(ConfigureUtil.java:160)
        at org.gradle.util.ConfigureUtil.configure(ConfigureUtil.java:106)
        at org.gradle.api.internal.project.DefaultProject.configure(DefaultProject.java:960)
        at org.gradle.api.internal.project.DefaultProject.configure(DefaultProject.java:965)
        at org.gradle.internal.metaobject.BeanDynamicObject$MetaClassAdapter.invokeMethod(BeanDynamicObject.java:464)
        at org.gradle.internal.metaobject.BeanDynamicObject.invokeMethod(BeanDynamicObject.java:176)
        at org.gradle.internal.metaobject.CompositeDynamicObject.invokeMethod(CompositeDynamicObject.java:96)
        at org.gradle.internal.metaobject.MixInClosurePropertiesAsMethodsDynamicObject.invokeMethod(MixInClosurePropertiesAsMethodsDynamicObject.java:30)
        at org.gradle.groovy.scripts.BasicScript.invokeMethod(BasicScript.java:111)
        at org.gradle.groovy.scripts.BasicScript.methodMissing(BasicScript.java:120)
        at build_72fnjt7y4wwfjb0dztk1iandm.run(C:\projects\hcspafo\build.gradle:193)
        at org.gradle.groovy.scripts.internal.DefaultScriptRunnerFactory$ScriptRunnerImpl.run(DefaultScriptRunnerFactory.java:90)
        ... 62 more

1.2 works just fine.
Just in case:

$ gradle --version

 ------------------------------------------------------------
Gradle 3.4.1
------------------------------------------------------------

Build time:   2017-03-03 19:45:41 UTC
Revision:     9eb76efdd3d034dc506c719dac2955efb5ff9a93

Groovy:       2.4.7
Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM:          1.8.0_121 (Oracle Corporation 25.121-b13)
OS:           Windows 10 10.0 amd64

Branch management strategy after 3.1.0 release

We follow semver2, then we need to consider how to maintain code for patch release like 3.1.x, and major/minor update such as 3.2.0 and 4.0.0. I'm not sure that we have motivation to release 3.2.0 or not (we have milestone only for 4.0.0), though.

In my experience, it is natural to use master for major update, and release-3.1 branch for patch. Any idea?

No manual how to connect Spotbugs with Findsecbugs plugin

Hello.

I am interested in using FindSecBugs extension that is listed on spotbugs official site, however I suppose there are mixups with naming of essential classes or methods which are used for injecting new inspections in Spotbugs.

Every manual I've seen mentions only Findbugs methods, but if I use them no security inspections are performed - I check it by implementing method that must be flagged according to findsecbugs docs:

    public void runtimeEx(String cmd) throws Exception {
        Runtime r = Runtime.getRuntime();
        r.exec("/bin/sh -c some_tool" + cmd);
    }

. And I can't use Spotbugs alternatives because there aren't any.

I have multimodule project. In the beginning of build.gradle I have the following:

buildscript {
    repositories {
        mavenCentral()
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "gradle.plugin.com.github.spotbugs:gradlePlugin:1.2"
    }
}

Some time after I have subprojects configuration:

configure(subprojects.findAll {it.path.matches(serviceImplPattern)}){
    apply plugin: "com.github.spotbugs"
...
    dependencies {
        hibernateJpaModelGenTool "org.hibernate:hibernate-jpamodelgen:$hibernateJPAModelGenVersion"
        findbugs configurations.findbugsPlugins.dependencies
        findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1'
    }
...
spotbugs {
        ignoreFailures = false
        sourceSets = [sourceSets.main]
        if (skipStaticAnalysis()) {
            sourceSets = []
        }
        effort = "max"
        reportLevel = "high"
    }
tasks.withType(com.github.spotbugs.SpotBugsTask) {
        reports {
            xml.enabled = false
            html.enabled = true
        }
    }
...
}

If I change findbugs to spotbugs and findbugsPlugins to spotbugsPlugins I get errors:

* What went wrong:
A problem occurred evaluating root project 'hcspafo'.
> Could not get unknown property 'spotbugsPlugins' for configuration container of type org.gradle.api.internal.artifacts.configurations.DefaultConfigurationContainer.

* Try:
Run with --info or --debug option to get more log output.

* Exception is:
org.gradle.api.GradleScriptException: A problem occurred evaluating root project 'hcspafo'.
        at org.gradle.groovy.scripts.internal.DefaultScriptRunnerFactory$ScriptRunnerImpl.run(DefaultScriptRunnerFactory.java:92)
        at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl$2.run(DefaultScriptPluginFactory.java:176)
        at org.gradle.configuration.ProjectScriptTarget.addConfiguration(ProjectScriptTarget.java:77)
        at org.gradle.configuration.DefaultScriptPluginFactory$ScriptPluginImpl.apply(DefaultScriptPluginFactory.java:181)
        at org.gradle.configuration.project.BuildScriptProcessor.execute(BuildScriptProcessor.java:39)
        at org.gradle.configuration.project.BuildScriptProcessor.execute(BuildScriptProcessor.java:26)
        at org.gradle.configuration.project.ConfigureActionsProjectEvaluator.evaluate(ConfigureActionsProjectEvaluator.java:34)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.doConfigure(LifecycleProjectEvaluator.java:70)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.access$000(LifecycleProjectEvaluator.java:33)
        at org.gradle.configuration.project.LifecycleProjectEvaluator$1.execute(LifecycleProjectEvaluator.java:53)
        at org.gradle.configuration.project.LifecycleProjectEvaluator$1.execute(LifecycleProjectEvaluator.java:50)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:61)
        at org.gradle.configuration.project.LifecycleProjectEvaluator.evaluate(LifecycleProjectEvaluator.java:50)
        at org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:599)
        at org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:125)
        at org.gradle.execution.TaskPathProjectEvaluator.configure(TaskPathProjectEvaluator.java:35)
        at org.gradle.execution.TaskPathProjectEvaluator.configureHierarchy(TaskPathProjectEvaluator.java:60)
        at org.gradle.configuration.DefaultBuildConfigurer.configure(DefaultBuildConfigurer.java:38)
        at org.gradle.initialization.DefaultGradleLauncher$ConfigureBuildAction.execute(DefaultGradleLauncher.java:233)
        at org.gradle.initialization.DefaultGradleLauncher$ConfigureBuildAction.execute(DefaultGradleLauncher.java:230)
        at org.gradle.internal.Transformers$4.transform(Transformers.java:169)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:106)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:56)
        at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:160)
        at org.gradle.initialization.DefaultGradleLauncher.doBuild(DefaultGradleLauncher.java:119)
        at org.gradle.initialization.DefaultGradleLauncher.run(DefaultGradleLauncher.java:102)
        at org.gradle.launcher.exec.GradleBuildController.run(GradleBuildController.java:71)
        at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:28)
        at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:41)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:26)
        at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:75)
        at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:49)
        at org.gradle.tooling.internal.provider.ServicesSetupBuildActionExecuter.execute(ServicesSetupBuildActionExecuter.java:49)
        at org.gradle.tooling.internal.provider.ServicesSetupBuildActionExecuter.execute(ServicesSetupBuildActionExecuter.java:31)
        at org.gradle.launcher.daemon.server.exec.ExecuteBuild.doBuild(ExecuteBuild.java:67)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.WatchForDisconnection.execute(WatchForDisconnection.java:47)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.ResetDeprecationLogger.execute(ResetDeprecationLogger.java:26)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.RequestStopIfSingleUsedDaemon.execute(RequestStopIfSingleUsedDaemon.java:34)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.call(ForwardClientInput.java:74)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.call(ForwardClientInput.java:72)
        at org.gradle.util.Swapper.swap(Swapper.java:38)
        at org.gradle.launcher.daemon.server.exec.ForwardClientInput.execute(ForwardClientInput.java:72)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.LogAndCheckHealth.execute(LogAndCheckHealth.java:55)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.LogToClient.doBuild(LogToClient.java:60)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.EstablishBuildEnvironment.doBuild(EstablishBuildEnvironment.java:72)
        at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:36)
        at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:120)
        at org.gradle.launcher.daemon.server.exec.StartBuildOrRespondWithBusy$1.run(StartBuildOrRespondWithBusy.java:50)
        at org.gradle.launcher.daemon.server.DaemonStateCoordinator$1.run(DaemonStateCoordinator.java:297)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
        at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:46)
Caused by: groovy.lang.MissingPropertyException: Could not get unknown property 'spotbugsPlugins' for configuration container of type org.gradle.api.internal.artifacts.configurations.DefaultConfigurationContainer.
        at org.gradle.internal.metaobject.AbstractDynamicObject.getMissingProperty(AbstractDynamicObject.java:85)
        at org.gradle.internal.metaobject.AbstractDynamicObject.getProperty(AbstractDynamicObject.java:62)
        at org.gradle.api.internal.artifacts.configurations.DefaultConfigurationContainer_Decorated.getProperty(Unknown Source)
        at build_72fnjt7y4wwfjb0dztk1iandm$_run_closure14$_closure49.doCall(C:\projects\hcspafo\build.gradle:292)
        at org.gradle.api.internal.ClosureBackedAction.execute(ClosureBackedAction.java:70)
        at org.gradle.util.ConfigureUtil.configureTarget(ConfigureUtil.java:160)
        at org.gradle.util.ConfigureUtil.configure(ConfigureUtil.java:106)
        at org.gradle.api.internal.project.DefaultProject.dependencies(DefaultProject.java:979)
        at org.gradle.internal.metaobject.BeanDynamicObject$MetaClassAdapter.invokeMethod(BeanDynamicObject.java:464)
        at org.gradle.internal.metaobject.BeanDynamicObject.invokeMethod(BeanDynamicObject.java:176)
        at org.gradle.internal.metaobject.CompositeDynamicObject.invokeMethod(CompositeDynamicObject.java:96)
        at org.gradle.internal.metaobject.MixInClosurePropertiesAsMethodsDynamicObject.invokeMethod(MixInClosurePropertiesAsMethodsDynamicObject.java:30)
        at org.gradle.internal.metaobject.ConfigureDelegate.invokeMethod(ConfigureDelegate.java:59)
        at build_72fnjt7y4wwfjb0dztk1iandm$_run_closure14.doCall(C:\projects\hcspafo\build.gradle:289)
        at org.gradle.api.internal.ClosureBackedAction.execute(ClosureBackedAction.java:70)
        at org.gradle.util.ConfigureUtil.configureTarget(ConfigureUtil.java:160)
        at org.gradle.util.ConfigureUtil.configure(ConfigureUtil.java:106)
        at org.gradle.api.internal.project.DefaultProject.configure(DefaultProject.java:960)
        at org.gradle.api.internal.project.DefaultProject.configure(DefaultProject.java:965)
        at org.gradle.internal.metaobject.BeanDynamicObject$MetaClassAdapter.invokeMethod(BeanDynamicObject.java:464)
        at org.gradle.internal.metaobject.BeanDynamicObject.invokeMethod(BeanDynamicObject.java:176)
        at org.gradle.internal.metaobject.CompositeDynamicObject.invokeMethod(CompositeDynamicObject.java:96)
        at org.gradle.internal.metaobject.MixInClosurePropertiesAsMethodsDynamicObject.invokeMethod(MixInClosurePropertiesAsMethodsDynamicObject.java:30)
        at org.gradle.groovy.scripts.BasicScript.invokeMethod(BasicScript.java:111)
        at org.gradle.groovy.scripts.BasicScript.methodMissing(BasicScript.java:120)
        at build_72fnjt7y4wwfjb0dztk1iandm.run(C:\projects\hcspafo\build.gradle:275)
        at org.gradle.groovy.scripts.internal.DefaultScriptRunnerFactory$ScriptRunnerImpl.run(DefaultScriptRunnerFactory.java:90)
        ... 62 more

Proposal: Move gradle plugin to isolated Git repo

Currently we put gradle plugin to spotbugs project, even though it uses different version mechanism (SpotBugs is going to release 3.1.0, but Gradle plugin releases 1.0~1.4). It makes version management tricky, and impossible to release gradle plugin without releasing SpotBugs itself (and vice versa).

I think it is better to :

Move Gradle plugin to isolated Git repo (maybe https://github.com/spotbugs/gradle-plugin). It is possible to keep its history by git filter-branch.
Bump up version to 2.0.0-SNAPSHOT and start following semver2.
Update each .travis.yml to stop releasing spotbugs and gradle plugin at the same time.

Migrating from FindBugs, getting missing classes

I am migrating an ant project from FindBugs to SpotBugs, and am getting the following output difference:

FindBugs:

findbugs:
 [findbugs] Executing findbugs FindBugsTask from ant task
 [findbugs] Running FindBugs...
 [findbugs] Warnings generated: 727
 [findbugs] Calculating exit code...
 [findbugs] Setting 'bugs found' flag (1)
 [findbugs] Exit code set to: 1
 [findbugs] Java Result: 1
 [findbugs] Output saved to /Users/rhwood/Developer/JMRI/JMRI/rhwood/findbugs/findbugs.html

SpotBugs:

spotbugs:
 [spotbugs] Executing SpotBugs FindBugsTask from ant task
 [spotbugs] Running SpotBugs...
 [spotbugs] The following classes needed for analysis were missing:
 [spotbugs]   itemStateChanged
 [spotbugs]   actionPerformed
 [spotbugs] Warnings generated: 742
 [spotbugs] Missing classes: 2
 [spotbugs] Calculating exit code...
 [spotbugs] Setting 'missing class' flag (2)
 [spotbugs] Setting 'bugs found' flag (1)
 [spotbugs] Exit code set to: 3
 [spotbugs] Java Result: 3
 [spotbugs] Classes needed for analysis were missing
 [spotbugs] Output saved to /Users/rhwood/Developer/JMRI/JMRI/rhwood/JMRI/spotbugs.html

Those two missing classes are method names, not classes. What should I be looking for to figure out what when wrong?

Wildcard for maven <excludeFilterFile>?

Is there a way to use a wildcard when specifying exclude files with <excludeFilterFile> for the spotbugs maven plug-in?

When I was using the findbugs ant task, I could select exclude filter files with the following:

<excludePath>
    <fileset dir="${src.dir}" includes="**/findbugs-*-exclude-filter.xml"/>
    <fileset dir="${test-src.dir}" includes="**/findbugs-*-exclude-filter.xml"/>
</excludePath>

https://spotbugs.github.io/spotbugs-maven-plugin/check-mojo.html#excludeFilterFile
Regards,
-Mike

com.h3xstream.findsecbugs.password.GoogleApiKeyDetector java.lang.NullPointerException

The warning at the bottom says out of memory, but that there are 2 GB free

/home/java/java_bin/findbugs/spotbugs-3.1.0/bin/spotbugs -textui -exclude /home/java/gen/HEAD/spotbugs_ignore.xml -property findbugs.refcomp.reportAll=true -property findbugs.de.comment=true -property findbugs.sf.comment=true -maxHeap 4096 -output /home/java/gen/HEAD/spotbugs.htm -auxclasspath .:/home/java/source/HEAD/work/jar_classes:/home/java/source/HEAD/work/jar_classes17:/home/java/source/HEAD/work/jar_classes_servlet:::/home/tomcat/apache-tomcat-8.5.23/lib/annotations-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/catalina-ant.jar:/home/tomcat/apache-tomcat-8.5.23/lib/catalina-ha.jar:/home/tomcat/apache-tomcat-8.5.23/lib/catalina-storeconfig.jar:/home/tomcat/apache-tomcat-8.5.23/lib/catalina-tribes.jar:/home/tomcat/apache-tomcat-8.5.23/lib/catalina.jar:/home/tomcat/apache-tomcat-8.5.23/lib/ecj-4.6.3.jar:/home/tomcat/apache-tomcat-8.5.23/lib/el-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/jasper-el.jar:/home/tomcat/apache-tomcat-8.5.23/lib/jasper.jar:/home/tomcat/apache-tomcat-8.5.23/lib/jaspic-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/jsp-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/servlet-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-api.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-coyote.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-dbcp.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-i18n-es.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-i18n-fr.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-i18n-ja.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-jdbc.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-jni.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-util-scan.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-util.jar:/home/tomcat/apache-tomcat-8.5.23/lib/tomcat-websocket.jar:/home/tomcat/apache-tomcat-8.5.23/lib/websocket-api.jar -html /home/java/source/HEAD/work/tomcat85/classes17_output /home/java/source/HEAD/classes
The following errors occurred during analysis:
Exception analyzing com.ibi.ibfs.objects.IBFSPropertyNames using detector com.h3xstream.findsecbugs.password.GoogleApiKeyDetector
java.lang.NullPointerException
At com.h3xstream.findsecbugs.password.GoogleApiKeyDetector.visitClassContext(GoogleApiKeyDetector.java:81)
At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1079)
At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:280)
At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:401)
At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1187)
Exception analyzing com.ibi.webapp.security.WFCorsFilter using detector com.h3xstream.findsecbugs.PermissiveCORSDetector
java.lang.NullPointerException
At com.h3xstream.findsecbugs.PermissiveCORSDetector.analyzeMethod(PermissiveCORSDetector.java:86)
At com.h3xstream.findsecbugs.PermissiveCORSDetector.visitClassContext(PermissiveCORSDetector.java:57)
At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1079)
At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:280)
At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:401)
At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1187)

Out of memory
Total memory: 3817M
free memory: 2421M
Analyzed: /home/java/source/HEAD/work/tomcat85/classes17_output
Analyzed: /home/java/source/HEAD/classes