[NEW RELEASE] Sonar-FindBugs 3.6

137 views
Skip to first unread message

philipp...@gmail.com

unread,
Oct 2, 2017, 5:00:17 PM10/2/17
to SonarQube
Short description: Add support for Groovy, Scala and Closure. Plugins FB-Contrib and FindSecurityBugs were updated.
Link to release notes: Same as above

===================================
Additional demands:

 - The plugin would also need to be added to the Plugin library: http://docs.sonarqube.org/display/PLUG/Other+Plugins
 - Add h3xstream (myself) to Admin of https://github.com/SonarQubeCommunity/sonar-findbugs
 - Add VinodAnandan to Developpers of https://github.com/SonarQubeCommunity/sonar-findbugs

matad...@googlemail.com

unread,
Oct 2, 2017, 6:16:00 PM10/2/17
to SonarQube
It would be great if we had a link of all the rules which are in this plugin and not present in the core sonar sslr java plug in.

philipp...@gmail.com

unread,
Oct 2, 2017, 6:51:57 PM10/2/17
to SonarQube
Hi Mat,
There are 855 rules in the core rule set and its two main plugins.

Short answer: Even when some rules are inspired from SpotBugs, they are not the same rules. They usually have less coverage and generate much more FP.

Complete details:

SpotBugs core rules:

Plugin: Find Security Bugs

Plugin: FB-Contrib


Rule of thumb:
-If you are a beginner, use FindBugs Only profile. This is probably the most popular rules set.
-If you are serious about Static Analysis, add FB-Contrib with "FindBugs + FB-Contrib" profile
-If you have a web application or care about security, use FindBugs Security Minimal
-If you have external auditor(s) reviewing the code for security issues, use FindBugs Security Audit. It include lots of _informational_ notification.

Nicolas Peru

unread,
Oct 3, 2017, 3:52:43 AM10/3/17
to philipp...@gmail.com, SonarQube
Hi Philippe,

Short answer: Even when some rules are inspired from SpotBugs, they are not the same rules. They usually have less coverage and generate much more FP.


I am sorry but I can't let you write this about SonarJava (which is my daily work (disclaimer done)) without backing up your claims with examples and facts. So can you point out concrete example of where SonarJava is generating more FPs when targeting the same problems ?

Regarding "less coverage" : I am unsure what you mean by this, but if you mean covering the same problems, again I would really like you to back up your claim by examples of issues/patterns/bugs that are detected by SpotBugs and not SonarJava.

There are things that we cover differently, and it can boil down to matter of opinion in the end but plainly writing that SonarJava is generating more FP and covering less rules without backing examples is a bit unfair.


Thanks. 




--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/41ea6b66-ab7a-4ba6-94fe-2fa81f82b861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Nicolas Peru | SonarSource

philipp...@gmail.com

unread,
Oct 3, 2017, 10:49:02 AM10/3/17
to SonarQube
Before replying. I must admit that my short answer can easily be interpreted as rude.
My more usual response is to try analyzers and compare their results.

I don't necessarily want to start endless debate .. At high level for the coverage, I meant rules diversity and language coverage (JSP, Groovy, Scala and Kotlin). I am obviously biased because I develop FSB and I have a focus on security.
False positive are highly dependent on what criteria is being tested and what code is being used. I could compare symbolic execution but every tool is taking shortcuts for different motivation.

Conclusion: it depends. ;)

G. Ann Campbell

unread,
Oct 3, 2017, 3:41:24 PM10/3/17
to SonarQube
Hi,

This has been added to the Update Center.


Ann
Reply all
Reply to author
Forward
0 new messages