[RFF] Sonar-FindBugs 3.4

[philipp...@gmail.com]

Hi Sonar users and FindBugs users,

I would like to get your feedback on version 3.4 of the FindBugs plugin.

Release notes: 

 - This new version is compatible with SonarQube 5.6 LTS.

 - JSP files can now be scanned for XSS and more.

 - This release includes FindBugs 3.0.1, FB-Contrib 6.6.1 and FindSecBugs 1.4.6.

 - For more information about the new rules included in FB-Contrib : http://fb-contrib.sourceforge.net/

 - For more information about the new rules included in FindSecBugs : https://github.com/find-sec-bugs/find-sec-bugs/releases

 - 797 rules that cover Java and JSP files

 - New profile added : FindBugs + FB-contrib (for anybody serious about static analysis)

Github release / plugin download at : https://github.com/SonarQubeCommunity/sonar-findbugs/releases/tag/3.4

~~~

Vote is open until Sunday 10th 2016 at midnight (roughly 5 days).

[ ] +1
[ ] +0
[ ] -1

Open issue at : https://github.com/SonarQubeCommunity/sonar-findbugs/issues

~~~

As usual, your feedback is more than welcome.

Enjoy!

[andreas...@coremedia.com]

Hi,

I tested sonar-findbugs-plugin 3.4.2 with SonarQube 5.6, Sonar Java Plugin 4.0 and sonar-maven-plugin 3.0.1 and run into the following problem:

The build fails when I'm analyzing a Maven module with only test classes. For such a module there's no target/classes directory (but only target/test-classes). This causes:

[main] [INFO] Sensor FindBugs Sensor
[main] [INFO] Execute Findbugs 3.0.1...
[main] [WARNING] Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your project.
[main] [INFO] Found findbugs plugin: /home/user/some/path/project/test-module/target/sonar/findbugs/findsecbugs-plugin.jar
[main] [INFO] Findbugs output report: /home/user/some/path/project/test-module/target/sonar/findbugs-result.xml
[main] [INFO] ------------------------------------------------------------------------
[main] [INFO] BUILD FAILURE
[main] [INFO] ------------------------------------------------------------------------
[main] [INFO] Total time: 13.547 s
[main] [INFO] Finished at: 2016-07-08T11:21:59+02:00
[main] [INFO] Final Memory: 82M/1104M
[main] [INFO] ------------------------------------------------------------------------
[main] [ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar (default-cli) on project test-module: Can not execute Findbugs: java.lang.RuntimeException: java.io.IOException: No files to analyze could be opened -> [Help 1]

I've checked again with the previous version 3.3 and I got the same warning but the build did not fail. That was fine. Here's the output for the same module

[main] [INFO] Sensor org.sonar.plugins.findbugs.FindbugsSensor
11:25:27.147 [main] WARN  o.s.plugins.findbugs.FindbugsSensor - Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your project.
[main] [INFO] Sensor org.sonar.plugins.findbugs.FindbugsSensor (done) | time=5ms

Is there some way to avoid the build error with version 3.4.2?
Otherwise I'd vote -1.

Cheers,
Andreas

[Laurent Tourreau]

Hi

in order to use Findbugs. You must compile your code before launching the sonar analysis. (Findbugs relies on bytecode)

Regards

[philipp...@gmail.com]

@Andreas and to all testers

The release candidate package has been updated.

Same location to get the plugin:

https://github.com/SonarQubeCommunity/sonar-findbugs/releases/tag/3.4

This is a very minor code change. (Two if added)

New behavior:

 - If there are no compiled classes to scan and some Java source files are in the main directory, it will fail.

 - If there are no compiled classes to scan and no Java source files in the main directory (ie : only test files), it will skip the project silently and no analysis will be made.

If you have an opinion about the expected behavior or have found new failures, please add a comment to this ticket https://github.com/SonarQubeCommunity/sonar-findbugs/issues/33 for easier discussion on this specific issue.

[andreas...@coremedia.com]

The new version 3.4.3 works fine! Thank you.

+1 for releasing it

[philipp...@gmail.com]

The feedback period is now close.

Thanks to everyone who took some time to test the new plugin.

For reporting new issues, please use GitHub:

https://github.com/SonarQubeCommunity/sonar-findbugs/issues

[mkapus...@kayak.com]

New FindBugs sensor takes ridiculous amount to time to analyse same project. Old version 2 minutes. New version 20 minutes.

Anyone have expierenced that?

[philipp...@gmail.com]

Hi Modestas,

It is hard to evaluate why it would take 10x more times to do the analysis.

I would like to know :

 - What are the languages of your project? Any Groovy, Scala, Twirl template, JSP, JRuby, etc. In the previous version, this code was not scan. If you have a lot of JSP, you now have a lot more code being scanned.

 - What is the memory usage during the execution (near 100%..)? I'm assuming your build is most likely using Maven. You can attach a profiler to the Maven process to see it. Many components are using internal cache : BCEL, FindBugs and its plugin. I would assume a slow down if the memory is full.

 - What are the profiles/rules activated?

 - How many lines of code does your project have (approx)?

[Laurent Tourreau]

Hi Philippe

On the previous Findbugs plugin version 3.3 there were 282 rules marked as Deprecated.

Since 3.4 version those rules are marked as "Ready".

Can you check and tell us if its a really mistake?

Regards

Laurent TOURREAU

[Modestas Kapusinskas]

JAVA, Javascript, CSS

The build is command line. We have multi project setup and the same effect is seen on all projects.

One more thing. I’ve noticed that the Firebugs analysis no longer produce any issues. Although rules are active and profile selected is “Firebugs”.

For example, total combined analysis time off of all these projects took ~1 hour.

Now it takes several hours.

The Firebugs sensor takes the time: (Filtered from the log of all project analysis)

INFO: Sensor FindBugs Sensor (done) | time=871478ms
INFO: Sensor FindBugs Sensor (done) | time=887497ms
INFO: Sensor FindBugs Sensor (done) | time=876057ms

INFO: Sensor FindBugs Sensor (done) | time=867780ms
INFO: Sensor FindBugs Sensor (done) | time=873622ms

INFO: Sensor FindBugs Sensor (done) | time=859999ms
INFO: Sensor FindBugs Sensor (done) | time=860959ms
INFO: Sensor FindBugs Sensor (done) | time=855665ms
INFO: Sensor FindBugs Sensor (done) | time=879860ms

INFO: Sensor FindBugs Sensor (done) | time=870939ms

INFO: Sensor FindBugs Sensor (done) | time=876194ms
INFO: Sensor FindBugs Sensor (done) | time=867465ms
INFO: Sensor FindBugs Sensor (done) | time=868457ms
INFO: Sensor FindBugs Sensor (done) | time=883252ms
INFO: Sensor FindBugs Sensor (done) | time=870171ms
INFO: Sensor FindBugs Sensor (done) | time=877189ms
INFO: Sensor FindBugs Sensor (done) | time=869010ms
INFO: Sensor FindBugs Sensor (done) | time=862408ms
INFO: Sensor FindBugs Sensor (done) | time=873276ms
INFO: Sensor FindBugs Sensor (done) | time=881313ms
INFO: Sensor FindBugs Sensor (done) | time=865961ms
INFO: Sensor FindBugs Sensor (done) | time=881640ms
INFO: Sensor FindBugs Sensor (done) | time=907724ms
INFO: Sensor FindBugs Sensor (done) | time=902437ms
INFO: Sensor FindBugs Sensor (done) | time=884056ms
INFO: Sensor FindBugs Sensor (done) | time=895430ms
INFO: Sensor FindBugs Sensor (done) | time=951416ms
INFO: Sensor FindBugs Sensor (done) | time=913585ms
INFO: Sensor FindBugs Sensor (done) | time=914738ms
INFO: Sensor FindBugs Sensor (done) | time=924588ms
INFO: Sensor FindBugs Sensor (done) | time=916967ms
INFO: Sensor FindBugs Sensor (done) | time=920049ms
INFO: Sensor FindBugs Sensor (done) | time=975900ms
INFO: Sensor FindBugs Sensor (done) | time=953302ms
INFO: Sensor FindBugs Sensor (done) | time=951923ms
INFO: Sensor FindBugs Sensor (done) | time=987159ms
INFO: Sensor FindBugs Sensor (done) | time=979760ms
INFO: Sensor FindBugs Sensor (done) | time=956154ms
INFO: Sensor FindBugs Sensor (done) | time=923969ms
INFO: Sensor FindBugs Sensor (done) | time=957775ms
INFO: Sensor FindBugs Sensor (done) | time=987367ms
INFO: Sensor FindBugs Sensor (done) | time=936226ms
INFO: Sensor FindBugs Sensor (done) | time=939013ms
INFO: Sensor FindBugs Sensor (done) | time=942110ms
INFO: Sensor FindBugs Sensor (done) | time=940355ms
INFO: Sensor FindBugs Sensor (done) | time=928289ms
INFO: Sensor FindBugs Sensor (done) | time=939494ms
INFO: Sensor FindBugs Sensor (done) | time=984473ms
INFO: Sensor FindBugs Sensor (done) | time=947161ms
INFO: Sensor FindBugs Sensor (done) | time=949067ms
INFO: Sensor FindBugs Sensor (done) | time=949954ms
INFO: Sensor FindBugs Sensor (done) | time=937456ms
INFO: Sensor FindBugs Sensor (done) | time=949034ms
INFO: Sensor FindBugs Sensor (done) | time=1013679ms
INFO: Sensor FindBugs Sensor (done) | time=947808ms
INFO: Sensor FindBugs Sensor (done) | time=950268ms
INFO: Sensor FindBugs Sensor (done) | time=934221ms
INFO: Sensor FindBugs Sensor (done) | time=959401ms
INFO: Sensor FindBugs Sensor (done) | time=945443ms
INFO: Sensor FindBugs Sensor (done) | time=924502ms
INFO: Sensor FindBugs Sensor (done) | time=947182ms
INFO: Sensor FindBugs Sensor (done) | time=953363ms
INFO: Sensor FindBugs Sensor (done) | time=928600ms
INFO: Sensor FindBugs Sensor (done) | time=906346ms
INFO: Sensor FindBugs Sensor (done) | time=892637ms

KAYAK

Modestas Kapusinskas

Director Engineering

[philipp...@gmail.com]

Minor typo: Firebugs => FindBugs

HI Modestas,

As Laurent Tourreau mentions, a lot of detectors have been "reactived".

Time of analysis is obviously not proportional to the number of lines of code. But 15 minutes is a reasonable amount of time for projects of 100k to 500k lines.

Keep in mind, FindBugs detectors are doing analysis far beyond greping string.

Things to look for :

 - Memory usage .. How much memory is allocated?

 - "target/sonar/findbugs-result.xml" (classes covered, nb of classes covered) This would also answer :  "I’ve noticed that the Findbugs analysis no longer produce any issues."

 - Running FindBugs standalone .. and compare the results and performance metrics with sonar build.

[Vara Prasad]

Hello,

We were facing the similar performance issue when we tried to upgrade to new findbugs plugin.
Our previous environment is with SonarQube 5.1.1 with java and findbugs plugin at version 3.2.
The new upgraded environment is with SonarQube 5.6 with java plugin 4.0 and findbugs plugin version 3.4.3

The below are the observations we have made

1. On Previous environment (SQ - 5.1.1, findbugs - 3,2 and java plugin - 3.2), findbugs is executing only if there is atleast one class file (pointed by sonar.java.binaries) is available for the java source files indexed.
   If there is no match between java and class files, we see a message "Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your project."
   
   
2. On upgraded environment (SQ - 5.6,  findbugs - 3.4.3 and java plugin - 4.0) findbugs is executing even if the classes pointed by sonar.java.binaries are completely different from the java source files indexed (even when there is no single match between the java files and class files).
   

Has any one had similar observations ?

Also is the below correct with respect to the change in findbugs execution behavior ?
sonar-findbugs-plugin-3.2 analyzes only java class files which have matching java sources
sonar-findbugs-plugin-3.4.3 analyzes all java class files even if java sources are not at all matching

Note - 

The "matching" which i have referred above is that, source will point to A.java and binaries will be having A.class

The "not matching" which i have referred above is that, source will point to A.java and binaries will not have A.class

With Regards,
Vara Prasad.

[Vara Prasad]

Hello,

I have done further debugging and this seems to be due to the call  scanForAdditionalClasses which will add all the classes from sonar.java.binaries.
Can you please let us know on why we need to add all classes instead of using classes only from javaResourceLocator.classFilesToAnalyze() ?
Also, classes from scanForAdditionalClasses are subset of javaResourceLocator.classFilesToAnalyze().

With Regards,
Vara Prasad.

[Modestas Kapusinskas]

Any update? 

I can confirm the findings of Vara to be true.

KAYAK

Modestas Kapusinskas

Director Engineering

-- 
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/iB6d12tiKR0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/303fcaed-a080-467f-ab26-605dafb262f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[philipp...@gmail.com]

Please add suggestion and comment to the Github project. The RFF thread are not actively monitor (once closed).