Introduce spotbug plugin

Issue-ID: CPS-159
Signed-off-by: Claudio David Gasparini <claudio.gasparini@pantheon.tech>
Change-Id: I889b3009505421621007031fb99a43c5cd30be82

diff --git a/cps-bom/pom.xml b/cps-bom/pom.xml
index 520a484..7d023a5 100644 (file)
--- a/cps-bom/pom.xml
+++ b/cps-bom/pom.xml
@@ -51,6 +51,11 @@
                 <artifactId>checkstyle</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.onap.cps</groupId>
+                <artifactId>spotbugs</artifactId>
+                <version>${project.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>
\ No newline at end of file

diff --git a/cps-dependencies/pom.xml b/cps-dependencies/pom.xml
index a77deff..cf744e8 100755 (executable)
--- a/cps-dependencies/pom.xml
+++ b/cps-dependencies/pom.xml
@@ -23,6 +23,7 @@
         <modelmapper.version>2.3.8</modelmapper.version>
         <spock-core.version>2.0-M2-groovy-3.0</spock-core.version>
         <spock-spring.version>1.3-groovy-2.5</spock-spring.version>
+        <spotbugs.version>4.2.0</spotbugs.version>
         <springboot.version>2.3.3.RELEASE</springboot.version>
         <springfox.version>3.0.0</springfox.version>
         <swagger.version>2.1.4</swagger.version>
@@ -109,6 +110,11 @@
                 <artifactId>postgresql</artifactId>
                 <version>${testcontainers.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs</artifactId>
+                <version>${spotbugs.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

diff --git a/cps-parent/pom.xml b/cps-parent/pom.xml
index 55db1a1..1f6ae2c 100644 (file)
--- a/cps-parent/pom.xml
+++ b/cps-parent/pom.xml
@@ -26,7 +26,11 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <releaseNexusPath>/content/repositories/releases/</releaseNexusPath>
         <repository.name>nexus3.onap.org:10001/onap/cps-service</repository.name>
+        <spotbugs-maven-plugin.version>4.1.3</spotbugs-maven-plugin.version>
         <spring-boot-maven-plugin.version>2.3.3.RELEASE</spring-boot-maven-plugin.version>
+        <spotbugs.slf4j.version>1.8.0-beta4</spotbugs.slf4j.version>
+        <spotbugs.bug-pattern.version>1.5.0</spotbugs.bug-pattern.version>
+        <spotbugs.version>4.2.0</spotbugs.version>
         <swagger-codegen-maven-plugin.version>3.0.18</swagger-codegen-maven-plugin.version>
         <snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath>
         <tag.version>${project.version}</tag.version>
@@ -197,6 +201,66 @@
                         </to>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>com.github.spotbugs</groupId>
+                    <artifactId>spotbugs-maven-plugin</artifactId>
+                    <version>${spotbugs-maven-plugin.version}</version>
+                    <dependencies>
+                        <dependency>
+                            <groupId>com.github.spotbugs</groupId>
+                            <artifactId>spotbugs</artifactId>
+                            <version>${spotbugs.version}</version>
+                        </dependency>
+                        <dependency>
+                            <groupId>${project.groupId}</groupId>
+                            <artifactId>spotbugs</artifactId>
+                            <version>${project.version}</version>
+                        </dependency>
+                        <dependency>
+                            <!-- The SpotBugs Maven plugin uses SLF4J 1.8 beta 2 -->
+                            <groupId>org.slf4j</groupId>
+                            <artifactId>slf4j-simple</artifactId>
+                            <version>${spotbugs.slf4j.version}</version>
+                        </dependency>
+                    </dependencies>
+                    <configuration>
+                        <plugins>
+                            <plugin>
+                                <groupId>jp.skypencil.findbugs.slf4j</groupId>
+                                <artifactId>bug-pattern</artifactId>
+                                <version>1.5.0</version>
+                            </plugin>
+                        </plugins>
+                        <!--
+                          Enables analysis which takes more memory but finds more bugs.
+                          If you run out of memory, changes the value of the effort element
+                          to 'Low'.
+                        -->
+                        <effort>Max</effort>
+                        <!-- Reports all bugs (other values are medium and max) -->
+                        <threshold>Low</threshold>
+                        <!-- Build doesn't fail if problems are found -->
+                        <failOnError>false</failOnError>
+                        <!-- References the excluded rules -->
+                        <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
+                        <!-- Produces XML report -->
+                        <xmlOutput>true</xmlOutput>
+                        <!-- Configures the directory in which the XML report is created -->
+                        <xmlOutputDirectory>${project.build.directory}/spotbugs</xmlOutputDirectory>
+                    </configuration>
+                    <executions>
+                        <!--
+                          Ensures that SpotBugs inspects source code when project is compiled.
+                        -->
+                        <execution>
+                            <id>analyze-compile</id>
+                            <phase>compile</phase>
+                            <goals>
+                                <goal>check</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -360,6 +424,10 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-maven-plugin</artifactId>
+            </plugin>
         </plugins>
     </build>
 </project>
\ No newline at end of file

diff --git a/pom.xml b/pom.xml
index e5c6df3..2ff88c1 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -34,5 +34,6 @@
         <module>cps-rest</module>\r
         <module>cps-ri</module>\r
         <module>checkstyle</module>\r
+        <module>spotbugs</module>\r
     </modules>\r
 </project>\r

diff --git a/spotbugs/pom.xml b/spotbugs/pom.xml
new file mode 100644 (file)
index 0000000..133c4f7
--- /dev/null
+++ b/spotbugs/pom.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.onap.cps</groupId>
+    <artifactId>spotbugs</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+
+    <properties>
+        <nexusproxy>https://nexus.onap.org</nexusproxy>
+        <releaseNexusPath>/content/repositories/releases/</releaseNexusPath>
+        <snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath>
+    </properties>
+
+    <distributionManagement>
+        <repository>
+            <id>ecomp-releases</id>
+            <name>ECOMP Release Repository</name>
+            <url>${nexusproxy}${releaseNexusPath}</url>
+        </repository>
+        <snapshotRepository>
+            <id>ecomp-snapshots</id>
+            <name>ECOMP Snapshot Repository</name>
+            <url>${nexusproxy}${snapshotNexusPath}</url>
+        </snapshotRepository>
+    </distributionManagement>
+</project>
\ No newline at end of file

diff --git a/spotbugs/src/main/resources/spotbugs-exclude.xml b/spotbugs/src/main/resources/spotbugs-exclude.xml
new file mode 100644 (file)
index 0000000..c46270c
--- /dev/null
+++ b/spotbugs/src/main/resources/spotbugs-exclude.xml
@@ -0,0 +1,27 @@
+<FindBugsFilter>
+  <Match>
+    <Or>
+      <!-- Anonymous inner classes are very common. -->
+      <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON" />
+
+      <!-- We use static slf4j Logger (this rule is from KengoTODA/findbugs-slf4j jp.skypencil.findbugs.slf4:bug-pattern) -->
+      <Bug pattern="SLF4J_LOGGER_SHOULD_BE_NON_STATIC" />
+
+      <!-- Guava 25.1+ uses the Checker Framework's @Nullable which SpotBugs doesn't handle correctly, even though it's
+           supposed to; see https://github.com/spotbugs/spotbugs/issues/743 -->
+      <Bug pattern="NP_NONNULL_PARAM_VIOLATION" />
+      <Bug pattern="NP_NULL_PARAM_DEREF" />
+      <Bug pattern="NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE" />
+      <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE" />
+
+      <!-- https://github.com/spotbugs/spotbugs/issues/511. Strict reading of Object.equals() contract means that
+           evenever equals() behaviour is defined, all implementations need to adhere to it. The only reason
+           to override the method (assuming correct API design, of course) is to provide a more efficient
+           implementation. This rule would be forcing a @SuppressFBWarnings on perfectly compliant classes. -->
+      <Bug pattern="EQ_DOESNT_OVERRIDE_EQUALS"/>
+
+      <!-- https://github.com/spotbugs/spotbugs/issues/756. spotbugs does not grok Java 11's try-with-resources -->
+      <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"/>
+    </Or>
+  </Match>
+</FindBugsFilter>