Exclusion of com.google.code.findbugs:jsr305 in Jenkins core

[Ullrich Hafner]

I’m not sure who is reading the issue tracker for our plugin-pom so I am asking the same question here as well:

Maven SpotBugs Plugin >= 4.9.5.0 fails when the JSR 305 annotations are not on the classpath. For reference see: spotbugs/spotbugs-maven-plugin#1209 (comment)

This version is not yet released in our parent-pom (only merged so far) but I think as soon as we release it we will get additional reports from other people. I tried the new version in my analysis-pom and get failures now:

jenkinsci/jquery3-api-plugin#255 (and https://github.com/jenkinsci/jquery3-api-plugin/actions/runs/17898491556/job/50888315843?pr=255)

It might be caused by Jenkins core where we have the exclusion:

    <dependency>
      <groupId>com.github.spotbugs</groupId>
      <artifactId>spotbugs-annotations</artifactId>
      <exclusions>
        <exclusion>
          <groupId>com.google.code.findbugs</groupId>
          <artifactId>jsr305</artifactId>
        </exclusion>
      </exclusions>
    </dependency>

And plugins do import the annotations with the scope provided. So this will cause a problem for all plugins soon.  Do you have an idea what to do? I can bundle the JSR 305 library in my plugins but I am not sure if this is the correct way.

[James Nord]

This sounds like a bug in spotbugs that should be reported. (Spotbugs not the spotbugs-maven-plugin).

As for workarounds don't upgrade would be the trivial one,

Otherwise did you try adding the dependency to the <plugin> itself in your pom?  (https://maven.apache.org/pom.html#Plugins)

Please don't bundle the annotations in your plugins.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/B9BCB6F0-5129-4338-8A70-4971993EF4AA%40gmail.com.

[Mark Waite]

On Monday, September 22, 2025 at 1:23:53 PM UTC-6 Ullrich Hafner wrote:

I’m not sure who is reading the issue tracker for our plugin-pom so I am asking the same question here as well:

Maven SpotBugs Plugin >= 4.9.5.0 fails when the JSR 305 annotations are not on the classpath. For reference see: spotbugs/spotbugs-maven-plugin#1209 (comment)

I'm not able to duplicate the issue with the tip of the master branch from the plugin-pom directory using plugins that I maintain.

I built and installed the tip of the master branch locally with `mvn clean install` and then updated several plugins to use 5.27-SNAPSHOT as their parent pom.  I ran `mvn clean -Dtest=InjectedTest verify` on those plugins and the build succeeded in all but one case.  In that case, there were new spotbugs warnings, but no failure to build.  The plugins that I checked were:

• apache-httpcomponents-client-4-api-plugin
• basic-branch-build-strategies-plugin
• embeddable-build-status-plugin
• git-client-plugin
• gitlab-plugin
• git-plugin
• implied-labels-plugin
• javadoc-plugin
• markdown-formatter-plugin
• nodelabelparameter-plugin
• platformlabeler-plugin
• priority-sorter-plugin
• versioncolumn-plugin

Is that failure limited to plugins that you maintain or can you see it on other plugins as well?

Mark Waite

[Ullrich Hafner]

Actually I haven’t tried other plugins. I just realized that the builds of all my plugins failed. Maybe it is a configuration problem specific to my plugins, as I am using a different SpotBugs configuration.

After add JSR 305 as dependency to the spotbugs-plugin my builds are green again. So I am closing the issue. 

@James Thanks for the configuration tip

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/85bbf5ed-bb0e-4686-8ce0-5016244dea8bn%40googlegroups.com.