-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using findsecbugs plugin along with Maven plugin doesn't work when specifying maxRank #144
Comments
So, I tried this: |
Doing this stripped down plugin specification with no executions |
@jacktwilliams See the integration tests, there are examples of the plugin usage. I personally have used this for a long time and it works fine. Do make sure not to use 'LATEST' but an explicit version number as 'LATEST' is bad practice and deprecated from maven usage. |
Thanks for the tip about 'LATEST', I pulled that from the findsecbugs documentation. However, I found the bug that is unrelated. This pom works to generate the findsecbugs errors, but adding 'maxRank' in the config breaks the findsecbugs functionality and no security bugs are found.
You can also use the CLI examples given above to see how adding maxRank breaks the findsecbugs plugin functionality. |
@hazendaz Oups. I did not know LATEST was deprecated. |
Hello, the spotbugs-maven-plugin is working, but adding the FindSecBugs plugin is having no effect. Here is my pom file
<plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>3.1.12.2</version> <executions> <execution> <id>spotbugs</id> <phase>compile</phase> <goals> <goal>spotbugs</goal> </goals> <configuration> <maxRank>9</maxRank> <threshold>Low</threshold> <excludeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-exclude.xml</excludeFilterFile> <includeFilterFile>${platform.root}/conf/StaticAnalysis/spotbugs-include.xml</includeFilterFile> <!-- find-sec-bugs plugin --> <!-- <plugins> <plugin> <groupId>com.h3xstream.findsecbugs</groupId> <artifactId>findsecbugs-plugin</artifactId> <version>LATEST</version> </plugin> </plugins> --> <pluginList>/home/jack/ProgramFiles/findsecbugs-plugin-1.9.0.jar</pluginList> </configuration> </execution> </executions> </plugin>
The commented tree is another approach of adding the plugin I tried, to the same effect. Using both approaches, I have examined the debugging output which seems to show that the plugin is being added successfully. This is a multi-module project, and the findsecbugs.jar is being added to the target directories of each submodule.
Now, adding the findsecbugs plugin in Eclipse does result in 6 security bugs found (that aren't being found with Maven.) Here is the Eclipse plugin version: 4.0.0.201904010749-792e955
I have tried using no filter files. Eclipse and the Maven plugin are pointed to the exact same filter files that include everything, but exclude Internationalization and Experimental.
The only other interesting thing about Eclipse... Even with the filter files, I have to select these "Security" and "Malicious Code Vulnerability" checkboxes to see the additional bugs.
Lastly, when I look in the GUI, it shows that there are no configured plugins. Maven version 3.6.0
Thank you.
The text was updated successfully, but these errors were encountered: