FindBugs 代码静态扫描bug插件的配置和使用

Checkstyle是一款可以帮助开发人员检查代码隐藏bug的分析工具; 它可以进行代码扫描, 产生bug检测报告, 以便开发人员及时去修复; 使用它可以让我们的工程代码质量更高;

---

常见自动化CI所采用的插件列表

• Spotless
• Checkstyle
• FindBugs
• Jacoco
• Liquibase

在项目中配置使用FindBugs

在Gradle项目中, 配置使用FindBugs

gradle构建脚本使用groovy

1. 首先在build.gradle中引入FindBugs插件

// 以外部文件的方式引入gradle插件脚本, 方便对build管理, 不至于膨胀过快
apply from: 'gradle/findbugs.gradle'

2. 看一下findbugs.gradle文件里面的内容

apply plugin: 'findbugs'

findbugs {
    // The version of the code quality tool to be used.
    // The most recent version of Checkstyle can be found at https://github.com/checkstyle/checkstyle/releases
    toolVersion = "3.0.1"

    showProgress = true

//    reportsDir = file("${buildDir}/reports/findbugs")

}

tasks.withType(FindBugs) {
    reports {
        xml.enabled false
        html.enabled true
        html.stylesheet resources.text.fromFile('config/findbugs/default.xsl')
    }
}

3. 上面的config/findbugs/default.xs是FindBugs生成HTML格式bug检查报告的样式文件
   文件具体内容可以参考: default.xsl

4. 在命令行终端执行以下命令对插件进行使用

// 对main-->java包中的java类做检测
gradlew findbugsMain
// 对test-->java包中的java类做检测
gradlew findbugsTest

在git管理的项目中, 通过hook执行findbugsMain verify

在项目的根目录下的.git文件夹下面添加pre-commit文件, 这个hook就会在本地进行git commit前执行

#!/bin/sh
#set -x
# From gist at https://gist.github.com/chadmaughan/5889802

# run the tests with the gradle wrapper for checkstyleMain
./gradlew checkstyleMain

RESULT=$?
# check if checkstyleMain method is success
if ! [ $RESULT == 0 ]; then
  exit $RESULT
fi

# run the tests with the gradle wrapper for findbugsMain
./gradlew findbugsMain

RESULT=$?
# return the './gradlew findbugsMain' exit code
exit $RESULT

初始化本地的hook

因为hook是放在.git文件夹下的, 而这个文件夹的内容不会被提交到远程仓库, 为了所有开发者都能以安装的方式初始化所有hook, 那我们弄个统一的脚本在每个人的本地初始化hook

1. 在项目根目录下面建一个boot文件(windows下面就是boot.bat)

boot

#/bin/bash

case "$1" in
  "checkstyle")
  open build/reports/checkstyle/main.html
  ;;
  "findbugs")
  open build/reports/findbugs/main.html
  ;;
  "jacoco")
  open build/reports/jacoco/index.html
  ;;
  "init-hook")
   cp hook/pre-commit .git/hooks/pre-commit
   cp hook/pre-push .git/hooks/pre-push
   chmod a+x .git/hooks/pre-commit
   chmod a+x .git/hooks/pre-push
  ;;
esac

boot.bat

@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem  boot.bat for windows
@rem
@rem ##########################################################################

set OPTION=%1%
set DIRNAME=%~dp0

if "%OPTION%" == "checkstyle" (
  start %DIRNAME%build\reports\checkstyle\main.html
)

if "%OPTION%" == "findbugs" (
  start %DIRNAME%build\reports\findbugs\main.html
)

if "%OPTION%" == "jacoco" (
  start %DIRNAME%build\reports\jacoco\index.html
)

if "%OPTION%" == "init-hook" (
  copy "hook\pre-commit" ".git\hooks\pre-commit"
  copy "hook\pre-push" ".git\hooks\pre-push"
  echo init-hook execute success
)

2. 执行脚本初始化方法

// linux
boot init-hook
// windows
boot.bat init-hook

本地进行git commit时会自动执行pre-commit里面的内容

关于findbugs所能检测的bug条目具体见: bugDescriptions
这里我们故意写一个bug(在一个class里面继承接口Cloneable, 但没实现它的clone方法), 看看检测报告

 git commit -m "xxx"
Scanning archives (56 / 56)
2 analysis passes to perform
Pass 1: Analyzing classes (172 / 172) - 100% complete
Pass 2: Analyzing classes (23 / 23) - 100% complete
Done with analysis
The following classes needed for analysis were missing:
  java.lang.Object
  java.lang.Cloneable
  java.lang.RuntimeException
  java.lang.Enum
  java.util.ArrayList
  java.util.List
  java.lang.String
  java.io.InputStream
  java.lang.Throwable
  java.io.PrintWriter
  java.util.concurrent.ConcurrentHashMap
  java.util.Collection
  java.util.stream.Stream
  java.util.stream.Collectors
  java.lang.StringBuilder
  java.lang.Long
  java.lang.NoSuchFieldError
  java.lang.UnsatisfiedLinkError
  java.io.Serializable
  java.lang.invoke.LambdaMetafactory
  java.lang.invoke.MethodHandles$Lookup
  java.lang.invoke.MethodHandles
  java.io.IOException
  java.lang.IllegalAccessError
  java.lang.IncompatibleClassChangeError
  java.lang.Error
  java.lang.NullPointerException
  java.lang.AbstractMethodError

Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
See https://docs.gradle.org/4.8.1/userguide/command_line_interface.html#sec:command_line_warnings
3 actionable tasks: 1 executed, 2 up-to-date

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':findbugsMain'.
> FindBugs rule violations were found. See the report at: file:///E:/project/gavin/moon-boot/build/reports/findbugs/main.html

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 4s

报告如图

Over!