'How to integrate find-sec-bugs in spotbugs?

Recently I downloaded the findsecbugs-plugin-1.11.0.jar in order to use it in spotbugs. I copied this jar file to the folder plugin of the project spotbugs(4.1.4).

I execute spotbugs making use of ant. When I run the ant target I get the following message:

 [spotbugs] Executing SpotBugs FindBugsTask from ant task
 [spotbugs] Running SpotBugs...
 [spotbugs] The following classes needed for analysis were missing:
 [spotbugs]   apply
 [spotbugs]   applyAsInt
 [spotbugs]   test
 [spotbugs]   accept
 [spotbugs] Java Result: 3
 [spotbugs] Classes needed for analysis were missing

Do you know what extra jar files do I need?



Solution 1:[1]

Unfortunately, the Ant integration does not have plugins configuration.

Option 1 : Exec Task

You could run the command-line version of Find-Security-Bugs. You have to invoke the tool with exec task. With this, you will be able to generate XML, HTML and SARIF reports.

Option 2 : Java task

As an alternative, you can use the Java task to invoke the class edu.umd.cs.findbugs.FindBugs2 which handles the CLI interface of SpotBugs.

You can take inspiration from the Maven implementation which use under the hood the AntRunner.

ant.java(classname: "edu.umd.cs.findbugs.FindBugs2", inputstring: getSpotbugsAuxClasspath(), fork: "${fork}", failonerror: "true", clonevm: "false", timeout: "${timeout}", maxmemory: "${maxHeap}m") {
...
}

I'm not 100% sure that you can define pluginArtifacts from an Ant script. You might have to create a small plugin to do it.

Solution 2:[2]

Although not documented in https://spotbugs.readthedocs.io/en/latest/ant.html#parameters, the Ant integration does support plugins using the pluginList parameter (see https://github.com/spotbugs/spotbugs/blob/master/spotbugs-ant/src/main/java/edu/umd/cs/findbugs/anttask/FindBugsTask.java). So,

<spotbugs home="..." ... 
          pluginList="findsecbugs-plugin-1.12.0.jar">
...
</spotbugs>

works. Try running with parameter debug="true" to see details.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 db.