Improve Code Quality with SpotBugs

Introduction

Every developer should ensure code quality and follow language conventions, otherwise Technical Debt is created, and at some point in the future you will have to revisit that smelly piece of code.

Code Debt can be created without even realizing when: development has to be done before a deadline; you do not have enough experience; or simply you are having a bad day. Because of this, it is very important that before merging changes into master we double check that we are not introducing performance or security issues, or any other kind of code smell.

SpotBugs

What it is

How To Use It

There are a few ways of using SpotBugs, however, we are going to focus on the SpotBugs plugin for Maven. Alternatevely, you can execute SpotBugs on Windows, macOS or Linux to run the SpotBugs GUI; install a plugin for Eclipse; integrate it with Ant or add a Gradle Plugin.

  1. Add the SpotBugs plugin into your pom.xml file:
<plugin>
  <groupId>com.github.spotbugs</groupId>
  <artifactId>spotbugs-maven-plugin</artifactId>
  <version>3.1.11</version>
  <dependencies>
    <dependency>
      <groupId>com.github.spotbugs</groupId>
      <artifactId>spotbugs</artifactId>
      <version>4.0.0-beta1</version>
    </dependency>
  </dependencies>
</plugin>
  1. Run one of the goals provided by the plugin:
mvn clean install spotbugs:spotbugs

Advance Configuration

Aditionally, we can know more about one particular goal if we run

mvn spotbugs:help -Ddetail=true -Dgoal=check

and set configuration properties like

mvn clean install spotbugs:check -Dspotbugs.failOnError=false

or in a configuratio block inside the SpotBugs Maven plugin block like below

<configuration>
    <threshold>Low</threshold>
    <effort>Max</effort>
    <debug>true</debug>
</configuration>

SpotBugs also allows advance filter configuration in order to include or exclude specific classes or methods from the report. First, we need to create a xml file where we are going to define our Match elements.

cd your-project-root-folder
touch spotbugs.xml

and add it in your SpotBugs plugin configuration

<includeFilterFile>spotbugs.xml</includeFilterFile>

A filter file is a XML file with a parent FindBugsFilter tag which contains as many Match tags as you want, and each Match element accepts many types of Match clauses. Moreover, you can use Java regular expressions to include/exclude classes, methods, fields or sources.

An example with some of the SpotBugs clauses can be found below.

<FindBugsFilter>
    <Match>
        <Class name="com.sergiomartinrubio.spotbugsexample.PerformanceBugs" />
        <Bug category="PERFORMANCE" />
    </Match>
    <Match>
        <Class name="com.sergiomartinrubio.spotbugsexample.CorrectnessBugs" />
        <Not>
            <Method name="test" />
        </Not>
    </Match>
    <Match>
        <Class name="com.sergiomartinrubio.spotbugsexample.BadPracticeBugs" />
        <Or>
            <Method name="removeAllFromCollection" returns="void" />
            <Method name="NamingConvention" returns="void" />
        </Or>
        <Bug category="BAD_PRACTICE" />
    </Match>

    <Match>
        <Package name="~.*\.spotbugsexample" />
        <Bug pattern="UCF_USELESS_CONTROL_FLOW" />
    </Match>
</FindBugsFilter>

Code Examples

GUI

SpotBugs has a GUI out-of-the-box by simply running

mvn spotbugs:gui

A build and SpotBugs analysis is required

A new window will pop up with a bug tree which gives us the following information:

SpotBugs GUI - Hierarky
SpotBugs GUI - Hierarky

When a particular bug is selected we will see a pane with the class and highlighted line code, and at the botton a description and possible solution.

SpotBugs GUI - Source Code and Description Panel
SpotBugs GUI - Source Code and Description Panel

You can also save the report and import or export filters.

The GUI can also be run by itself and load the jar file that we want to analyze.

Alternatives

Probably you have already heard about SonarQube, which basically provides SpotBugs features and a few extra more. In fact, SonarQube used to use FindBugs plugin to generate bug reports, until they decided to used their own analyzer and stop using Checkstyle, PMD and FindBugs.

Why would you choose SpotBugs? Because it is easier to integrate into your Maven build, rather than relying on a separate Sonar server, and having to learn an additional API. The greatest benefit of SonarQube is the GUI, which lets you configure anything easily. Nevertheless, you could run something like Jenkins Warnings Next Generation Plugin as part of your Jenkins CI build and have nice graphs.

Conclusion

Whether you are a junior or senior developer, code analysis tools like Spotbugs can be very useful to improve code quality and avoid bugs, so you should consider adding this tool to your build.