SpotBugs 是FindBugs的继任者,使用静态分析来查找Java代码中bug。是一款自由软件,按照GNU Lesser General Public License 的条款发布。该工程以容器方式,对spotbugs工具进行封装,并定义标准输入和输出。从而保证CodeCC平台数据解析模版化。
sdk:适配工具脚步路径
software: 安装包路径
tool: 工具二进制路径
spotbugs 4.0.6
{"projName":"DEVOPS_A6AC1784A0951044","scanPath":"/data/iegci/test_tool/test_code/codeFormatTest","whitePathList":[],"toolOptions":[{"optionName":"subPath","optionValue":"./spotbugs_scan/tool"}],"buildScript":"/data/build.sh","scanType":"full","skipPaths":["./\.svn/.","./\.git/.","./\.temp/."],"incrementalFiles":[],"openCheckers":[{"checkerName":"BC-IMPOSSIBLE-DOWNCAST","nativeChecker":true},{"checkerName":"BC-IMPOSSIBLE-CAST","nativeChecker":true}]}
| 字段名 | 说明 | 举例 |
|---|---|---|
| projName | 项目名称 | DEVOPS_214A69F1F4F935DE |
| scanPath | 待扫描的路径,此处需使用绝对路径 | /data/project/code |
| whitePathList | 指定扫描路径列表(白名单) | /data/project/code/src |
| toolOptions | 工具属性,指定spotbugs安装路径 | [{"optionName":"subPath","optionValue":"./spotbugs_scan/tool"}] |
| buildScript | java项目编译脚步路径 | /data/build.sh |
| scanType | 进行全量或增量检查 | full或increment |
| skipPaths | 屏蔽路径正则表达式列表(黑名单) | [".*/demo/.*", ".*/protobuf/.*"] |
| incrementalFiles | 增量扫描的文件清单,清单为空表示全量扫描 | ["/data/project/code/src/main.java", "/data/project/code/src/test.java"]] |
| openCheckers | 打开的规则列表 | [{"checkerName":"BC-IMPOSSIBLE-DOWNCAST","nativeChecker":true},{"checkerName":"BC-IMPOSSIBLE-CAST","nativeChecker":true}] |
| checkerName | 规则名称, 参考附2 | BC-IMPOSSIBLE-CAST |
| nativeChecker | 是否工具默认规则 | true |
cd ./spotbugs_scan
python3 ./src/spotbugs.py --input=/data/input.json --output=/data/output.json
{"defects":[{"checkerName":"BC-IMPOSSIBLE-CAST","description":" Impossible cast","filePath":"/data/iegci/test_tool/test_code/checkstyle_scan/sdk/src/config.java","line":"33"},{"checkerName":"BC-IMPOSSIBLE-DOWNCAST","description":" Impossible downcast ","filePath":"/data/iegci/test_tool/test_code/checkstyle_scan/sdk/src/config.java","line":"34"}]}
| 字段名 | 说明 |
|---|---|
| defects | 告警列表 |
| filePath | 文件路径 |
| line | 文件行 |
| checkerName | 规则名称 |
| description | 规则描述 |
以下为语言对应数字,如果项目存在多语言,则数字相加:
| 数字 | 对应语言 |
|---|---|
| 1 | cs |
| 2 | cpp |
| 4 | java |
| 8 | php |
| 16 | objectivec |
| 32 | python |
| 64 | js |
| 128 | ruby |
| 512 | go |
| 1024 | swift |
| 4096 | kotlin |
| 规则名 | 规则描述 | 适用语言 |
|---|---|---|
| AM-CREATES-EMPTY-JAR-FILE-ENTRY | Creates an empty jar file entry | JAVA |
| AM-CREATES-EMPTY-ZIP-FILE-ENTRY | Creates an empty zip file entry | JAVA |
| AT-OPERATION-SEQUENCE-ON-CONCURRENT-ABSTRACTION | Sequence of calls to concurrent abstraction may not be atomic | JAVA |
| BAC-BAD-APPLET-CONSTRUCTOR | Bad Applet Constructor relies on uninitialized AppletStub | JAVA |
| BC-BAD-CAST-TO-ABSTRACT-COLLECTION | Questionable cast to abstract collection | JAVA |
| BC-BAD-CAST-TO-CONCRETE-COLLECTION | Questionable cast to concrete collection | JAVA |
| BC-EQUALS-METHOD-SHOULD-WORK-FOR-ALL-OBJECTS | Equals method should not assume anything about the type of its argument | JAVA |
| BC-IMPOSSIBLE-CAST | Impossible cast | JAVA |
| BC-IMPOSSIBLE-DOWNCAST | Impossible downcast | JAVA |
| BC-IMPOSSIBLE-DOWNCAST-OF-TOARRAY | Impossible downcast of toArray() result | JAVA |
| BC-IMPOSSIBLE-INSTANCEOF | instanceof will always return false | JAVA |
| BC-UNCONFIRMED-CAST | Unchecked/unconfirmed cast | JAVA |
| BC-UNCONFIRMED-CAST-OF-RETURN-VALUE | Unchecked/unconfirmed cast of return value from method | JAVA |
| BC-VACUOUS-INSTANCEOF | instanceof will always return true | JAVA |
| BIT-ADD-OF-SIGNED-BYTE | Bitwise add of signed byte value | JAVA |
| BIT-AND | Incompatible bit masks | JAVA |
| BIT-AND-ZZ | Check to see if ((…) & 0) == 0 | JAVA |
| BIT-IOR | Incompatible bit masks | JAVA |
| BIT-IOR-OF-SIGNED-BYTE | Bitwise OR of signed byte value | JAVA |
| BIT-SIGNED-CHECK | Check for sign of bitwise operation | JAVA |
| BIT-SIGNED-CHECK-HIGH-BIT | Check for sign of bitwise operation involving negative number | JAVA |
| BOA-BADLY-OVERRIDDEN-ADAPTER | Class overrides a method implemented in super class Adapter wrongly | JAVA |
| BSHIFT-WRONG-ADD-PRIORITY | Possible bad parsing of shift operation | JAVA |
| BX-BOXING-IMMEDIATELY-UNBOXED | Primitive value is boxed and then immediately unboxed | JAVA |
| BX-BOXING-IMMEDIATELY-UNBOXED-TO-PERFORM-COERCION | Primitive value is boxed then unboxed to perform primitive coercion | JAVA |
| BX-UNBOXED-AND-COERCED-FOR-TERNARY-OPERATOR | Primitive value is unboxed and coerced for ternary operator | JAVA |
| BX-UNBOXING-IMMEDIATELY-REBOXED | Boxed value is unboxed and then immediately reboxed | JAVA |
| CAA-COVARIANT-ARRAY-ELEMENT-STORE | Possibly incompatible element is stored in covariant array | JAVA |
| CAA-COVARIANT-ARRAY-FIELD | Covariant array assignment to a field | JAVA |
| CAA-COVARIANT-ARRAY-LOCAL | Covariant array assignment to a local variable | JAVA |
| CAA-COVARIANT-ARRAY-RETURN | Covariant array is returned from the method | JAVA |
| CD-CIRCULAR-DEPENDENCY | Test for circular dependencies among classes | JAVA |
| CI-CONFUSED-INHERITANCE | Class is final but declares protected field | JAVA |
| CN-IDIOM | Class implements Cloneable but does not define or use clone method | JAVA |
| CN-IDIOM-NO-SUPER-CALL | clone method does not call super.clone() | JAVA |
| CN-IMPLEMENTS-CLONE-BUT-NOT-CLONEABLE | Class defines clone() but doesn’t implement Cloneable | JAVA |
| CNT-ROUGH-CONSTANT-VALUE | Rough value of known constant found | JAVA |
| CO-ABSTRACT-SELF | Abstract class defines covariant compareTo() method | JAVA |
| CO-COMPARETO-INCORRECT-FLOATING | compareTo()/compare() incorrectly handles float or double value | JAVA |
| CO-COMPARETO-RESULTS-MIN-VALUE | compareTo()/compare() returns Integer.MIN_VALUE | JAVA |
| CO-SELF-NO-OBJECT | Covariant compareTo() method defined | JAVA |
| DB-DUPLICATE-BRANCHES | Method uses the same code for two branches | JAVA |
| DB-DUPLICATE-SWITCH-CLAUSES | Method uses the same code for two switch clauses | JAVA |
| DC-DOUBLECHECK | Possible double check of field | JAVA |
| DC-PARTIALLY-CONSTRUCTED | Possible exposure of partially initialized object | JAVA |
| DE-MIGHT-DROP | Method might drop exception | JAVA |
| DE-MIGHT-IGNORE | Method might ignore exception | JAVA |
| DL-SYNCHRONIZATION-ON-BOOLEAN | Synchronization on Boolean | JAVA |
| DL-SYNCHRONIZATION-ON-BOXED-PRIMITIVE | Synchronization on boxed primitive | JAVA |
| DL-SYNCHRONIZATION-ON-SHARED-CONSTANT | Synchronization on interned String | JAVA |
| DL-SYNCHRONIZATION-ON-UNSHARED-BOXED-PRIMITIVE | Synchronization on boxed primitive values | JAVA |
| DLS-DEAD-LOCAL-INCREMENT-IN-RETURN | Useless increment in return statement | JAVA |
| DLS-DEAD-LOCAL-STORE | Dead store to local variable | JAVA |
| DLS-DEAD-LOCAL-STORE-IN-RETURN | Useless assignment in return statement | JAVA |
| DLS-DEAD-LOCAL-STORE-OF-NULL | Dead store of null to local variable | JAVA |
| DLS-DEAD-LOCAL-STORE-SHADOWS-FIELD | Dead store to local variable that shadows field | JAVA |
| DLS-DEAD-STORE-OF-CLASS-LITERAL | Dead store of class literal | JAVA |
| DLS-OVERWRITTEN-INCREMENT | Overwritten increment | JAVA |
| DM-BOOLEAN-CTOR | Method invokes inefficient Boolean constructor; use Boolean.valueOf(…) instead | JAVA |
| DM-BOXED-PRIMITIVE-FOR-COMPARE | Boxing a primitive to compare | JAVA |
| DM-BOXED-PRIMITIVE-FOR-PARSING | Boxing/unboxing to parse a primitive | JAVA |
| DM-BOXED-PRIMITIVE-TOSTRING | Method allocates a boxed primitive just to call toString | JAVA |
| DM-CONVERT-CASE | Consider using Locale parameterized version of invoked method | JAVA |
| DM-DEFAULT-ENCODING | Reliance on default encoding | JAVA |
| DM-EXIT | Method invokes System.exit(…) | JAVA |
| DM-FP-NUMBER-CTOR | Method invokes inefficient floating-point Number constructor; use static valueOf instead | JAVA |
| DM-GC | Explicit garbage collection; extremely dubious except in benchmarking code | JAVA |
| DM-INVALID-MIN-MAX | Incorrect combination of Math.max and Math.min | JAVA |
| DM-MONITOR-WAIT-ON-CONDITION | Monitor wait() called on Condition | JAVA |
| DM-NEW-FOR-GETCLASS | Method allocates an object, only to get the class object | JAVA |
| DM-NEXTINT-VIA-NEXTDOUBLE | Use the nextInt method of Random rather than nextDouble to generate a random integer | JAVA |
| DM-NUMBER-CTOR | Method invokes inefficient Number constructor; use static valueOf instead | JAVA |
| DM-RUN-FINALIZERS-ON-EXIT | Method invokes dangerous method runFinalizersOnExit | JAVA |
| DM-STRING-CTOR | Method invokes inefficient new String(String) constructor | JAVA |
| DM-STRING-TOSTRING | Method invokes toString() method on a String | JAVA |
| DM-STRING-VOID-CTOR | Method invokes inefficient new String() constructor | JAVA |
| DM-USELESS-THREAD | A thread was created using the default empty run method | JAVA |
| DMI-ANNOTATION-IS-NOT-VISIBLE-TO-REFLECTION | Can’t use reflection to check for presence of annotation without runtime retention | JAVA |
| DMI-ARGUMENTS-WRONG-ORDER | Reversed method arguments | JAVA |
| DMI-BAD-MONTH | Bad constant value for month | JAVA |
| DMI-BIGDECIMAL-CONSTRUCTED-FROM-DOUBLE | BigDecimal constructed from double that isn’t represented precisely | JAVA |
| DMI-BLOCKING-METHODS-ON-URL | The equals and hashCode methods of URL are blocking | JAVA |
| DMI-CALLING-NEXT-FROM-HASNEXT | hasNext method invokes next | JAVA |
| DMI-COLLECTION-OF-URLS | Maps and sets of URLs can be performance hogs | JAVA |
| DMI-COLLECTIONS-SHOULD-NOT-CONTAIN-THEMSELVES | Collections should not contain themselves | JAVA |
| DMI-CONSTANT-DB-PASSWORD | Hardcoded constant database password | JAVA |
| DMI-DOH | D’oh! A nonsensical method invocation | JAVA |
| DMI-EMPTY-DB-PASSWORD | Empty database password | JAVA |
| DMI-ENTRY-SETS-MAY-REUSE-ENTRY-OBJECTS | Adding elements of an entry set may fail due to reuse of Entry objects | JAVA |
| DMI-FUTILE-ATTEMPT-TO-CHANGE-MAXPOOL-SIZE-OF-SCHEDULED-THREAD-POOL-EXECUTOR | Futile attempt to change max pool size of ScheduledThreadPoolExecutor | JAVA |
| DMI-HARDCODED-ABSOLUTE-FILENAME | Code contains a hard coded reference to an absolute pathname | JAVA |
| DMI-INVOKING-HASHCODE-ON-ARRAY | Invocation of hashCode on an array | JAVA |
| DMI-INVOKING-TOSTRING-ON-ANONYMOUS-ARRAY | Invocation of toString on an unnamed array | JAVA |
| DMI-INVOKING-TOSTRING-ON-ARRAY | Invocation of toString on an array | JAVA |
| DMI-LONG-BITS-TO-DOUBLE-INVOKED-ON-INT | Double.longBitsToDouble invoked on an int | JAVA |
| DMI-NONSERIALIZABLE-OBJECT-WRITTEN | Non serializable object written to ObjectOutput | JAVA |
| DMI-RANDOM-USED-ONLY-ONCE | Random object created and used only once | JAVA |
| DMI-SCHEDULED-THREAD-POOL-EXECUTOR-WITH-ZERO-CORE-THREADS | Creation of ScheduledThreadPoolExecutor with zero core threads | JAVA |
| DMI-THREAD-PASSED-WHERE-RUNNABLE-EXPECTED | Thread passed where Runnable expected | JAVA |
| DMI-UNSUPPORTED-METHOD | Call to unsupported method | JAVA |