Findbugs - Static Code Analysis of Java

Markus Sprunck, Software Engineering Candies, http://www.sw-engineering-candies.com/

Findbugs is an open source tool for static code analysis of Java programs. It scans byte code for so called bug pattern to find defects and/or suspicious code. Although Findbugs needs the compiled class files it is not necessary to execute the code for the analysis. Working with Findbugs helps to prevent from shipping avoidable issues. It is also an excellent motivation for improving the skills of development teams to write better code in the first place.

Web Site: http://Findbugs.sourceforge.net/

Version Tested: Findbugs 2.0.1

System requirements: Java 1.5 or higher

License & Pricing: Open Source (Lesser GNU Public License)

Support: SourceForge Project (http://sourceforge.net/projects/Findbugs/)

What can I do with Findbugs?

Findbugs scans for possible bugs in Java software. Each finding is reported as a warning, but not all of these warnings are necessarily defects, e.g. warnings referring to possible performance issues. The terms bug or bug pattern are used in a misleading way by Findbugs. A better way would be to talk just about warnings. In the following article, the term warning will be used. All warnings are classified in four ranks: (i) scariest, (ii) scary, (iii) troubling and (iv) of concern. This is a hint to the developer about the possible impact/severity of the warnings. The current version reports 400 warnings in the nine categories:

Category Number Samples Correctness 142 Illegal format string Null value is guaranteed to be dereferenced Call to equals() comparing unrelated class and interface Bad practice 84 Confusing method names Method may fail to close stream Comparison of String parameter using == or != Dodgy code 71 Useless control flow Integer remainder modulo 1 Redundant null check of value known to be null Multithreaded Correctness 45 A thread was created using the default empty run method Class's writeObject() method is synchronized but nothing else is Performance 27 Method concatenates strings using + in a loop Method invokes inefficient Boolean constructor Malicious Code Vulnerability 15 Finalizer should be protected, not public Field isn't final and can't be protected from malicious code Security 11 Hardcoded constant database password A prepared statement is generated from a variable String Experimental 3 Method may fail to clean up stream or resource Internationalization 2 Consider using Locale parameterized version of invoked method

Table 1: Selected Findbugs Warnings by Category

The authors of Findbugs report an average rate of false warnings of less than 50%. This is a fairly good value, but in practice even not all the true warnings will be fixed by developers due to different reasons. Because of this, it is necessary to deactivate some warnings.

Findbugs provides the possibility to uncomment wrong and/or unwanted warnings. There are two ways to remove warnings (i) the entire warning is switched off for all classes in the project settings or (ii) single warnings can be disabled for certain piece of code (e.g. with the annotation @edu.umd.cs.Findbugs.annotations.SuppressWarnings).

It is possible to develop Findbugs custom detectors (own rules) and/or integrate third party detectors.

What is new in version 2.0?

Findbugs version 2.0 supports 24 new warnings

Detection of problems identified by JSR-305 annotations is now possible

A new attribute bug rank has been introduced. This bug rank is a number between 1 and 20 and grouped in four values:

has been introduced. This is a number between 1 and 20 and grouped in four values: Scariest (1-4),

Scary (5-9),

Troubling (10-14) and

Of Concern (rank 15-20)

The term priority has been renamed to confidence to avoid misconceptions with the bug rank

has been renamed to to avoid misconceptions with the bug rank Simplifications of the command line interface

Support for the Google Core Libraries for Java (Guava)

Easier to define Findbugs plug-in

some other improvements

Integrations and User Interfaces of Findbugs

Findbugs can be executed in many different ways from command line, builds or in IDEs. Available integrations are:

Command Line, Ant and Standalone GUI (see http://Findbugs.sourceforge.net/downloads.html)

Eclipse (see http://Findbugs.cs.umd.edu/eclipse)

Maven (see http://mojo.codehaus.org/Findbugs-maven-plugin)

Netbeans (see http://jetbrains.dzone.com/tips/intellij-idea-finds-bugs)

Hudson (see http://wiki.hudson-ci.org/display/HUDSON/Findbugs+Plugin)

IntelliJ (see http://code.google.com/p/Findbugs/wiki/IntellijFindbugsPlugins)

Installation of Eclipse Plug-In

The Eclipse plug-in work with Eclipse 3.x releases from 3.3. The plug-in runs under Java 1.5 or newer.

For Eclipse 4.2 (Juno) the next steps install the plug-in:

In Eclipse, click on Help | Install New Software� and press Add button.

Insert Name: Findbugs

Insert URL: http://Findbugs.cs.umd.edu/eclipse

press OK button

You should see Findbugs in the list. Select the entry and press Next button.

You should see the Install Details without errors and press Next button.

Select the "I accept the terms of the license agreement" option and click Finish button.

The plug-in is not digitally signed. Go ahead and install it anyway. (press OK button)

Click Yes to make Eclipse restart itself.

Working with Eclipse Plug-in

Working with Findbugs in Eclipse is easy and strait forward. To run the analysis, select your Java project or class. In the context menu you find then an entry Find Bugs (see Figure 1).

Figure 1: Start Findbugs with context menu.

After the analysis is ready you may change to the Findbugs Perspective (see Figure 2) of Eclipse.

Figure 2: Findbugs Perspective.

The Findbugs Eclipse Plug-In offers various opportunities for customization of how to show and filter warnings. (see Figure 3). It is worth to spend some time to see the differences with changed parameters.

Figure 3 Customization of Findbugs in the Preferences dialog.

There is also a possibility to create file filters. This can be helpful to exclude parts of the project like the test code for instance.

Documentation

The documentation of FindBugs is actually a field for improvement. The online documentation is partly outdated and/or could go more in detail. The descriptions of the warnings in the online documentation are concise and well written. Unfortunately, some parts of the description are not easy to understand, even for experienced Java developers.

Conclusion

The new version of Findbugs has again a lot of improvements and is more powerful than ever. The only point of criticism is the documentation that is not up-to-date and lacks examples.

Findbugs is a good choice to start with static code analysis in your software project in the first place. With Findbugs you can detect the "low hanging fruits" of the code and this helps to convince the developers to accept and use static code analysis.

Other tools like PMD or Checkstyle focus more on anti-pattern, coding style and/or coding conventions. If you start with static code analysis, it will be important to convince developers (and management) about the added value the tool. Here it is easier to discuss about a warning like "Null value is guaranteed to be dereferenced" than a sometimes esoteric discussion about naming convention and/or style.

Further Reading

Tutorial - Findbugs Warnings By Sample (Basics)

Tutorial - Findbugs Warnings By Sample (Database & Security)

Tutorial - Findbugs Warnings By Sample (Exception Handling & Control Flow)

Tutorial - Findbugs Warnings By Sample (@Nonnull and @CheckReturnValue of JSR-305)

More Software Testing Resources

Click here to view the complete list of tools reviews

This article was originally published in the Fall 2012 issue of Methods & Tools