Maven Support about spotbugs HOT 75 CLOSED

Can this issue be closed? Or should we add an entry for findbugs-maven-plugin usage in the README.md and wait for 3.1.0 to be released to the maven repos first?

from spotbugs.

Sorry but I changed my mind.
Now I prefer 2 (fork) than 1 (ask), because SpotBugs should be merge-able to FindBugs when it comes back. If we ask findbugs-maven-plugin to change dependency, it's not easy to release another FindBugs version such as 3.0.2.

I'm not sure we should care this case or not, but fork is more controllable for this organization so it should be not so worth option than 1, I believe.

from spotbugs.

I asked sonatype to help us to deploy our artifacts to Maven central.

• https://issues.sonatype.org/browse/OSSRH-27535
• http://central.sonatype.org/pages/ossrh-guide.html
• http://central.sonatype.org/pages/gradle.html

from spotbugs.

ah... mebigfatguy

from spotbugs.

Maven support would be very nice indeed.

The "using spotbugs" section of https://spotbugs.github.io/ actually links to the findbugs maven and gradle plugins. Maybe this should be updated?

from spotbugs.

I'd probably leave it open until we release to maven central and provide working instructions to use SpotBugs from Maven.

from spotbugs.

@levonk If it's any consolation, I'm likely to use SpotBugs with the findbugs-maven-plugin myself, and thus notice if it breaks.

from spotbugs.

@KengoTODA great initiative!

We should ask them to grant permissions to a couple more of us, to avoid another FindBugs situation. My username for Sonatype is jsotuyod, please ask them to grant me access.

I know @mebigfatguy also has a user, since he uploads fb-contrib there, but I'm not sure what's his username.

from spotbugs.

I actually favor option 3, unless we actually need to fix findbugs-maven-plugin in some way. Forking just to declare a different dependency smells of a poor dependency resolution mechanism.

from spotbugs.

While it would be great for maven to make those changes, history dictates that will take a long time. That said, I already have a fork of findbugs maven plugin so I have branched off as spotbugs and have switched plus upgraded the plugin itself (dependencies / internal plugins, etc).

I have already pushed out a snapshot in case anyone wants to try it. I'm otherwise continuing to update pieces of the findbugs plugin to get it fully up-to-date before I cut a release. Most likely this weekend which I'll turn around and immediately use in a number of projects. Then I'll try to get some of that back to the original and maybe even spotbugs down the road. I suspect that will be easier than waiting on maven core to change.

<dependency>
    <groupId>com.github.hazendaz.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.0.5-SNAPSHOT</version>
</dependency>

from spotbugs.

@hazendaz : can you please create the maven version for RC4 build?

In general: it would be very good if we somehow could synchronize maven plugin and spotbugs releases. Any ideas how? Does it makes sense if the fork you maintain would just move to the spotbugs organization as spotbugs-maven project?

from spotbugs.

@KengoTODA Can you go over to sonatype jira and reply on this jira ticket (https://issues.sonatype.org/browse/OSSRH-27535)? I need to get access so I can push spotbugs-maven-plugin from here. At the moment not sure where they were looking since github is showing me as part of the group but assuming they looked only at this repo rather than overall or others.

from spotbugs.

@KengoTODA

Please give this one a try. It's released to sonatype so you should be able to pull it.

                <plugin>
                    <groupId>com.github.spotbugs</groupId>
                    <artifactId>spotbugs-maven-plugin</artifactId>
                    <version>3.1.0-SNAPSHOT</version>
                </plugin>

If this looks good, I'll push it sometime tomorrow on RC5. I guess what I was trying to really get at, is that if I were to change every notion of findbugs to spotbugs we would be looking at 100+ file changes and pretty sure a merge nightmare if things are changed back at findbugs maven plugin. This is a second attempt at much less scope but still rather large. RC5 can be used for testing grounds to see if that flushes out ok. So far, the issues you raised are fixed. Logging though might still say findbugs but the reporting shows spotbugs now and the running is spotbugs:spotbugs.

from spotbugs.

I've got 13 of the tests passing now. The original findbugs maven plugin only has 18 IT tests pass. So I'm getting closer to having same results.

from spotbugs.

from spotbugs.

from spotbugs.

@levonk is there any specific reason for which the OSS findbugs-maven-plugin wouldn't work if it used a SpotBugs release instead of FindBugs 3.0.1?

I'm just wondering if this is only concern for Maven integration (which is a priority, just like Gradle and ant) which could be achieved by reaching out to the teams managing those projects, or there is a structural issue with the current Maven plugins that needs a different approach.

from spotbugs.

No Structural issue, but if a new project were to be created then having the integration plugins as modules to the main project makes the most amount of sense.

Is this project going to continue now that FindBugs is supposedly back on track?

from spotbugs.

So far Bill has only responded on HN, not on any official FindBugs channel. His response was vague and still wanting on actual plans for the future. The confidence on him as a project leader has been severely damaged, and at this point we have no guarantee that:

1. he is actually coming back
2. that we won't end back in the same spot in a couple months

SpotBugs will continue it's current work until then. If the project was to be shutdown, we would merge back.

from spotbugs.

Sure, I've asked them to add:

• https://issues.sonatype.org/browse/OSSRH-27535?focusedCommentId=389547&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-389547

from spotbugs.

I found this problem when I worked for #111, however this issue should be better place to discuss so I will note about it at here.

I tried to use maven-findbugs-plugin with SpotBugs 3.1.
It is possible by adding <dependency> like the following snippet:

        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>findbugs-maven-plugin</artifactId>
          <version>3.0.4</version>
          <dependencies>
            <dependency>
              <groupId>com.github.spotbugs</groupId>
              <artifactId>spotbugs</artifactId>
              <version>3.1.0-SNAPSHOT</version>
            </dependency>
          </dependencies>
        </plugin>

But this way has a problem: maven plugin still depends on FindBugs 3.0.1, so it has both of FindBugs and SpotBugs. I also confirmed that AuxClasspath includes both of them.

Ideally it should be possible to put <exclusion> like below, but it's not supported by current latest Maven.

        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>findbugs-maven-plugin</artifactId>
          <version>3.0.4</version>
          <dependencies>
            <dependency>
              <groupId>com.github.spotbugs</groupId>
              <artifactId>spotbugs</artifactId>
              <version>3.1.0-SNAPSHOT</version>
            </dependency>
          </dependencies>
          <exclusions>
            <exclusion>
              <groupId>com.google.code.findbugs</groupId>
              <artifactId>findbugs</artifactId>
            </exclusion>
          </exclusions>
        </plugin>

I think we have several options to choose:

1. ask to release findbugs-maven-plugin which depends on SpotBugs instead of FindBugs
2. fork findbugs-maven-plugin to provide spotbugs-maven-plugin from this organization
3. send a patch to Apache Maven to support excluding direct dependency of plugin\
   • currently I cannot estimate for this option
4. guarantee that plugin should work even though it depends on both of SpotBugs and FindBugs
   • this might be hard, we need to consider many cases

I think we can have a try for 1, shall I mention to Mr.gleclaire to ask?

from spotbugs.

I found a feature request (but not a patch) for option 3: https://issues.apache.org/jira/browse/MNG-6222

See also https://stackoverflow.com/a/43652129/14379

from spotbugs.

nice

from spotbugs.

@hazendaz , is it possible for you to make stable version of your forked plugin ?
Without stable version it is hard to start to use your plugin , maven release plugin do not accept dependencies to snapshots. In checkstyle project we plan to use your plugin.

from spotbugs.

@romani I pushed a new snapshot. Can you give it a run and let me know if it is working for you? If so, I'll push the release in next day or so.

from spotbugs.

@hazendaz , please do release version. We tested your snapshot version - it works fine.

from spotbugs.

from spotbugs.

@romani I've pushed the release. It should show in central in next couple of hours.

from spotbugs.

Thanks for that!
I've tried to integrate it. All works fine, I've got a lot of new issues reported (e.g. potential NPEs in lambdas, etc.). Great to see some progress in findbugs again!

However, when I tried to enable "fb-contrib" plugin, which we used with findbugs (actually, in the same way as we did there) - I started getting following error:

[ERROR] Failed to execute goal com.github.hazendaz.spotbugs:spotbugs-maven-plugin:3.0.5:findbugs (findbugs) on project : Execution findbugs of goal com.github.hazendaz.spotbugs:spotbugs-maven-plugin:3.0.5:findbugs failed: No signature of method: org.apache.maven.shared.artifact.resolve.internal.DefaultArtifactResolver.resolve() is applicable for argument types: (org.apache.maven.artifact.DefaultArtifact, java.util.Collections$UnmodifiableRandomAccessList, org.apache.maven.artifact.repository.MavenArtifactRepository) values: [com.mebigfatguy.fb-contrib:fb-contrib:jar:7.0.2:, [ id:
[ERROR] url:
[ERROR] layout: default
[ERROR] snapshots: [enabled => false, update => daily]
[ERROR] releases: [enabled => true, update => daily]
[ERROR] , ...], ...]
[ERROR] -> [Help 1]

Plugin's config is:

<plugin>
    <groupId>com.github.hazendaz.spotbugs</groupId>
    <artifactId>spotbugs-maven-plugin</artifactId>
    <version>3.0.5</version>
    <configuration>
        <effort>Max</effort>
        <threshold>Low</threshold>
        <excludeFilterFile>${basedir}/findbugs-exclude.xml</excludeFilterFile>
        <plugins>
            <plugin>
                <groupId>com.mebigfatguy.fb-contrib</groupId>
                <artifactId>fb-contrib</artifactId>
                <version>7.0.2</version>
            </plugin>
        </plugins>
    </configuration>
</plugin>

Not sure, where I should report this, so will leave here.

from spotbugs.

@anatoliy-balakirev My bad on this. I updated a little too far with maven best I understand at the moment. I dropped back two import changes and switched to maven-compat. Issue is fixed. I'm going to release 3.0.6 shortly. Keep an eye out for it and let me know if it fixes your issue as I believe it will.

from spotbugs.

@anatoliy-balakirev It's released, should be in central in a couple of hours.

from spotbugs.

@hazendaz Yep, it works now. Thanks a lot!

from spotbugs.

@KengoTODA : we schould change the link in spotbugs.github.io to point to some page where we describe which plugin to use with maven.

from spotbugs.

@iloveeclipse OK I will propose two PRs: one is for migration guide in new site, another is for usage page in spotbugs.github.io.

@hazendaz Do you have web page for this forked repository? If not, I'll use spotbugs branch in your repo.

from spotbugs.

from spotbugs.

from spotbugs.

@hazendaz I've invited you to project team - if you need something else to proceed, just ask.

from spotbugs.

from spotbugs.

@iloveeclipse While trying to work out how to land this I went ahead and cut a release under my location aligning to spotbugs 3.1.0-RC4 along with version number. I've opened a discussion over on findbugs maven plugin to get a bit of feedback before moving further. Hopefully will have that figured out in a few days.

I have also now joined spotbugs org. Thanks for the invite.

from spotbugs.

@hazendaz - you are welcome, it is very important to have people on board with maven knowledge (I'm not the one :).

from spotbugs.

@iloveeclipse I transferred over the copy of findbugs I have. Can you grant me admin access on that one so I can start working to rebrand it away from findbugs? First off the project name needs to be changed to spotbugs-maven-plugin and beyond that the core work which now isn't much as original author accepted most everything is on a separate branch. So I want to get that all aligned and then work on getting the word 'findbugs' out of there as much as possible.

from spotbugs.

@hazendaz : you have admin access now.

from spotbugs.

from spotbugs.

If you could cut a version for RC4, it would be a good start, going back does not make sense. Please once you do this, update SpotBugs homepage / manual documentation or open ticket to do so. Also it would be great if you could draft a small readme in the new project how to build and release it to maven repos.

from spotbugs.

@iloveeclipse Basics are up on plugin now. Since I already cut RC4 under old tag that probably is good enough for the moment. I'll add a redirect pom on next release and then switch it over. For now, added a couple of badges and rebranding so the plugin is looking more like spotbugs. I'm also using spotbugs branch as main branch there for time being since I got traction on findbugs maven plugin and there are enough valid issues over there that I think fixing at source is a good idea then merging into this line.

from spotbugs.

@hazendaz I've commented as https://issues.sonatype.org/browse/OSSRH-27535?focusedCommentId=426063&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-426063 please confirm.

from spotbugs.

from spotbugs.

What is the status of this task? Can we close it as fixed?

from spotbugs.

from spotbugs.

I'm going to hold off pushing for now until I get this more friendly to spotbugs full usage including the mojo. I'll try to get this out this weekend. You probably can still close this and just point to the last I released under my branding. It's on RC4. But manual runs like 'mvn spotbugs:findbugs' are required on that at the moment which I want to fix.

from spotbugs.

I found one TODO:

• Update FAQ in official manual, it needs to guide users to the latest Maven plugin.

from spotbugs.

from spotbugs.

Ping. We are close to RC6 (waiting on ASM6 release only). Would be great to have everything prepared on the maven side too.

from spotbugs.

@iloveeclipse Need some feedback. Should I pretty much just leave findbugs plugin as-is or rebrand it entirely? I'm trying to rebrand it entirely but that will take a bit longer. If I leave it as-is, I can release pretty much now. It's a lot to actually rebrand it entirely but if done it would support running both findbugs maven plugin and spotbugs maven plugin if someone wanted to actually do that.

from spotbugs.

@hazendaz : I must confess, I'm not a maven expert.

My personal understanding right now:

• Java 9 is just released. People will start trying it. They will need proper tooling support.
• => SpotBugs should be released soon! We wait for ASM6 (end of September) only.
• Once we will have ASM 6, we will create RC6.
• If nothing big will be broken in RC6, we should finally release 3.1.0.

This all above means, for RC6 we must have maven support. If you think rebranding will timely not fit into RC6, create a new task and we will postpone it to 4.0.

The main point right now is to get something for maven flying with RC6.

from spotbugs.

I will test in my personal Maven project.
https://github.com/KengoTODA/findbugs-slf4j/blob/master/pom.xml

from spotbugs.

from spotbugs.

from spotbugs.

@hazendaz I confirmed that 3.1.0-RC4 can work as expected, however it has only findbugs goal so I need to run mvn spotbugs:findbugs which seems strange. It will be nice if we can add alias to let users do mvn spotbugs:spotbugs.

And when I run mvn site, it prints several "FindBugs" in its message:

[INFO] Done FindBugs Analysis....

[INFO] Generating "FindBugs" report             --- spotbugs-maven-plugin:3.1.0-RC4:findbugs

from spotbugs.

@hazendaz About logging, it still says:

[INFO] Done FindBugs Analysis....

And hyperlink in HTML generated by site goal uses http://findbugs.sourceforge.net/ ,
I will attach generated file at here: bug-pattern – SpotBugs Bug Detector Report.htm.zip

At last, when spotbugs:check failed, it says that To see bug detail using the Findbugs GUI, use the following command "mvn findbugs:gui". It's better to replace two FindBugs in this comment.

from spotbugs.

Thanks! I'll work on it some more tomorrow to fix those issues.

from spotbugs.

@hazendaz : would be great to see some commits :-)
RC6 was a little bit buggy, but I really hope we can push the "final" RC and stable 3.1.0 in the next days.

from spotbugs.

@iloveeclipse If you mean #405, it does not affect Maven plugin. So I think Maven user can use it as stable version.

from spotbugs.

Sure, I just wanted to have all bits there for a release, and if I get it right, maven integration needs some smaller polishing for 3.1.0. My vision is to get 3.1.0 out of the door as soon as possible, and except maven part it looks good.

from spotbugs.

from spotbugs.

I believe we only need maven bits for the next RC and if nothing bad happens, we can declare 3.1.0. You can see it here:
https://github.com/spotbugs/spotbugs/milestone/1

I've just set the due date to October 15. I think this is acceptable.

from spotbugs.

All of my code is up currenty here

I'm unable to get the integration tests working. Only 8 want to succeed. The original fails as well but for different reasons (expected test failures never match - always one off). On the new code it just doesn't seem to be doing what is expected.

Overall there is still quite a bit of 'findbugs' all over this. Honestly this is probaby more extensive than I would have ever written a plugin. While it's great that it has integration tests to flush out the plugin working, it would be better if I could find down what is making them fail. Any help would be appreciated.

Because I'm still tracking original plugin I would further anticipate a lot of rebasing/squashing as changes come onto there unless we start adding value here. Rebranding by itself I don't feel warrants a lot of commits. The only two I'm really holding steady on is the original post findbugs commit I made to release early versions of this and the new site generation. I'll keep those separate. All my other commits are simply more of the same trying to flush out findbugs as much as possible.

from spotbugs.

I use the spotbugs-maven-plugin and found some places where it still references findbugs.

Will this be fixed or where should such issues be reported? I understand that the differences to the findbugs plugin should be minimized but I think in the long term we will all use spotbugs...

from spotbugs.

@hazendaz : can we close this one, or what is still missing? I want to cut a release this weekend.

from spotbugs.

@iloveeclipse All good on release front. Here is my plan.

As soon as final integration tests run that I'm testing now, I'm releasing RC5. Then will update to RC6 and wait until I hear back from anyone else that wants to confirm. I have run both findbugs and spotbugs in same project and it worked as I expected. Both are feasiable to be run. After further verifications, I'm good to run with release 3.1.0. There is a defect in the build itself on the main plugin but that won't affect users and PR is outstanding to fix that. I can just consume that on here too so it's none issue here even though not pulled over there.

from spotbugs.

You can close this one. RC5 of the maven plugin has been released. I'm testing with RC6 now. Please give the plugin a go and let me know if any issues. All looks good to me so I'm ready as well for 3.1.0 release.

from spotbugs.

Closing. Both RC5 and RC6 are now released.

from spotbugs.

Thanks Jeremy, I really appretiate your help.

from spotbugs.

@hazendaz
There are no new releases of com.github.hazendaz.spotbugs » spotbugs-maven-plugin maven repo. Last version is 3.1.0-RC4. Is there a new spotbugs maven plugin available which is under Apache 2.0 license?

from spotbugs.

@hazendaz ,
thanks a lot for a notice ... but here is problem with upgrade spotbugs/spotbugs-maven-plugin#30

from spotbugs.