FindBugs
 
Docs and Info
 FindBugs 2.0
 Demo and data
 Users and supporters
 FindBugs blog
 Fact sheet
 Manual
 Manual(ja/日本語)
 FAQ
 Bug descriptions
 Bug descriptions(ja/日本語)
 Bug descriptions(fr)
 Mailing lists
 Documents and Publications
 Links
 
Downloads
 
FindBugs Swag
 
Development
 Open bugs
 Reporting bugs
 Contributing
 Dev team
 API [no frames]
 Change log
 SF project page
 Browse source
 Latest code changes

FindBugs logo UMD logo

FindBugs™ - Find Bugs in Java Programs

This is the web page for FindBugs, a program which uses static analysis to look for bugs in Java code.  It is free software, distributed under the terms of the Lesser GNU Public License. The name FindBugs™ and the FindBugs logo are trademarked by The University of Maryland. FindBugs has been downloaded more than a million times.

The current version of FindBugs is 3.0.0.

FindBugs requires JRE (or JDK) 1.7.0 or later to run.  However, it can analyze programs compiled for any version of Java, from 1.0 to 1.8.

The current version of FindBugs is 3.0.0, released on 20:43:52 CDT, 06 July, 2014. We are very interested in getting feedback on how to improve FindBugs. File bug reports on our sourceforge bug tracker

Changes | Talks | Papers | Sponsors | Support

FindBugs 3.0.0 Release

  • FindBugs supports Java 8 now (both as runtime and target platform).
  • FindBugs requires minimum Java 7 as runtime environment!
  • FindBugs uses ASM 5 now which means that some 3rd party detectors based on FindBugs 2.x/ASM 3 has to be upgraded. See details in ASM documentation.
  • New Bug patterns: NP_OPTIONAL_RETURN_NULL, IIO_INEFFICIENT_INDEX_OF, IIO_INEFFICIENT_LAST_INDEX_OF CNT_ROUGH_CONSTANT_VALUE
  • New "Source" filter which can be used to filter out classes generated from other languages:
                                <?xml version="1.0" encoding="UTF-8"?>
                                <FindBugsFilter>
                                <Match>
                                    <Source name="~.*\.groovy" />
                                </Match>
                                </FindBugsFilter>
                            
  • New "-auxclasspathFromFile" and "-analyzeFromFile" command line options.
  • New "nested" ant task attribute.
  • Various bug fixes, also many patches from community. Thanks for your contributions!

FindBugs 2.0.3 Release

FindBugs 2.0.3 is intended to be a minor bug fix release over FindBugs 2.0.2. Although than some improvements to existing bug detectors and analysis engines, and a few new bug patterns, and some important bug fixes to the Eclipse plugin, no significant changes should be observed. Consult the Change log for more details.

Also check out http://code.google.com/p/findbugs/w/list for more information about some recent features/changes in FindBugs.

Major changes in FindBugs 2.0 (from FindBugs 1.3.x)

Ways to run FindBugs

Here are various ways to run FindBugs. For plugins not supported by the FindBugs team, check to see what version of FindBugs they provide; it might take a little while for the plugins to update to FindBugs 2.0.

Command line, ant, GUI
Provided in FindBugs download
Eclipse
Update site for Eclipse plugin: http://findbugs.cs.umd.edu/eclipse. Supported by the FindBugs project.
Maven
http://mojo.codehaus.org/findbugs-maven-plugin/
Netbeans
SQE: Software Quality Environment
Jenkins
Jenkins FindBugs Plugin
Hudson
HUDSON FindBugs Plugin
IntelliJ
Several plugins, see http://code.google.com/p/findbugs/wiki/IntellijFindBugsPlugins for a description.

New

  • jFormatString library republished at http://code.google.com/p/j-format-string. This is the library we use for compile time checking of format strings. It is separately published to
  • We're releasing FindBugs 2.0.3. Mostly small changes to address false positives, with one important fix to the Eclipse plugin to fix a problem that had prevented the plugin from running in some versions of Eclipse. Check the change log for more details.
  • We've released FindBugs 2.0
  • FindBugs communal cloud and Java web start links:. We have analyzed several large open source projects, and provide Java web start links to allow you to view the results. We'd be happy to work with projects to make the results available from a continuous build:

Experience with FindBugs

  • Google FindBugs Fixit: Google has a tradition of engineering fixits, special days where they try to get all of their engineers focused on some specific problem or technique for improving the systems at Google. A fixit might work to improve web accessibility, internal testing, removing TODO's from internal software, etc.

    In 2009, Google held a global fixit for UMD's FindBugs tool a static analysis tool for finding coding mistakes in Java software. The focus of the fixit was to get feedback on the 4,000 highest confidence issues found by FindBugs at Google, and let Google engineers decide which issues, if any, needed fixing.

    More than 700 engineers ran FindBugs from dozens of offices. More than 250 of them entered more than 8,000 reviews of the issues. A review is a classification of an issue as must-fix, should-fix, mostly-harmless, not-a-bug, and several other categories. More than 75% of the reviews classified issues as must fix, should fix or I will fix. Many of the scariest issues received more than 10 reviews each.

    Engineers have already submitted changes that made more than 1,100 of the 3,800 issues go away. Engineers filed more than 1,700 bug reports, of which 600 have already been marked as fixed Work continues on addressing the issues raised by the fixit, and on supporting the integration of FindBugs into the software development process at Google.

    The fixit at Google showcased new capabilities of FindBugs that provide a cloud computing / social networking backdrop. Reviews of issues are immediately persisted into a central store, where they can be seen by other developers, and FindBugs is integrated into the internal Google tools for filing and viewing bug reports and for viewing the version control history of source files. For the Fixit, FindBugs was configured in a mode where engineers could not see reviews from other engineers until they had entered their own; after the fixit, the configuration will be changed to a more open configuration where engineers can see reviews from others without having to provide their own review first. These capabilities have all been contributed to UMD's open source FindBugs tool, although a fair bit of engineering remains to prepare the capabilities for general release and make sure they can integrate into systems outside of Google. The new capabilities are expected to be ready for general release in Fall 2009.

Talks about FindBugs

Papers about FindBugs

Contributors and Sponsors

The current development team consists of Bill Pugh and Andrey Loskutov.

The most recent funding for FindBugs comes from a Google Faculty Research Awards.

Additional Support

Numerous people have made significant contributions to the FindBugs project, including founding work by David Hovemeyer and the web cloud infrastructure by Keith Lea.

YourKit is kindly supporting open source projects with its full-featured Java Profiler. YourKit, LLC is creator of innovative and intelligent tools for profiling Java and .NET applications. Take a look at YourKit's leading software products: YourKit Java Profiler and YourKit .NET Profiler.

The FindBugs project also uses FishEye and Clover, which are generously provided by Cenqua/Atlassian.

Additional financial support for the FindBugs project was provided by National Science Foundation grants ASC9720199 and CCR-0098162,

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).


Send comments to findbugs@cs.umd.edu

SourceForge.net Logo