Docs and Info
 FindBugs 2.0
 Demo and data
 Users and supporters
 FindBugs blog
 Fact sheet
 Bug descriptions
 Bug descriptions(ja/日本語)
 Bug descriptions(fr)
 Mailing lists
 Documents and Publications
FindBugs Swag
 Open bugs
 Reporting bugs
 Dev team
 API [no frames]
 Change log
 SF project page
 Browse source
 Latest code changes

FindBugs logo UMD logo

FindBugs 2

This page describes the major changes in FindBugs 2. We are well aware that the documentation on the new features in FindBugs 2.0 have not kept up with the implementation. We will be working to improve the documentation, but don't want to hold up the release any longer to improve the documentation.

Anyone currently using FindBugs 1.3.9 should find FindBugs 2.0 to largely be a drop-in replacement that offers better accuracy and performance.

Also check out for more information about some recent features/changes in FindBugs.

The major new features in FindBugs 2 are as follows:

  • Bug Rank - bugs are given a rank 1-20, and grouped into the categories scariest (rank 1-4), scary (rank 5-9), troubling (rank 10-14), and of concern (rank 15-20).
    • priority renamed confidence - many people were confused by the priority reported by FindBugs, and considered all HIGH priority issues to be important. To reflect the actually meaning of this attribute of issues, it has been renamed confidence. Issues of different bug patterns should be compared by there rank, not their confidence.
  • Cloud storage - having a convent way for developers to share information about when an issue was first seen, and whether it is believed to be a serious problem, is important to successful and cost-effective deployment of static analysis in a large software project.
  • update checks - FindBugs will check for releases of new versions of FindBugs. Note: we leverage this capability to count the number of FindBugs users. These update checks can easily be disabled.
  • Plugins - FindBugs 2.0 makes it much easier to define plugins that provide various capabilities, and install these plugins either on a per user or per installation basis.
  • fb command - rather than using the rather haphazard collection of command line scripts developed over the years for running various FindBugs commands, you can now use just one: fb.
    • fb analyze - invokes the FindBugs analysis
    • fb gui - launches the FindBugs GUI
    • fb list - lists the issues from a FindBugs analysis file
    • fb help - lists the command available.

    Plugins can be used to extend the commands that can be invoked via fb.

  • New bug patterns and detectors, and improved accuracy
  • Improved performance: overall, we've seen an average 10% performance improvement over a large range of benchmarks, although a few users have experienced performance regressions we are still trying to understand.
  • Guava support - working with Kevin Bourrillion, we have provided additional support for the Guava library, recognizing many common misuse patterns.
  • JSR-305 support - improved detection of problems identified by JSR-305 annotations. In particular, we've significantly improved both the accuracy and performance of the analysis of type qualifiers.

Cloud storage of issue evaluations

For many years, you could store evaluations of FindBugs issues within the XML containing the analysis results. However, this approach did not work well for a team of distributed developers. Instead, we now provide a cloud based mechanism for storing this information. We are providing a free communal cloud (hostied by Google appengine) for storing evaluations of FindBugs issues. You can set up your own private cloud for storing issues, but at the moment this checking out a copy of FindBugs, making some modifications and building the cloud storage plugin from source. We hope to make it easier to have your own private cloud in FindBugs 2.0.1.

We have analyzed several large open source projects, and provide Java web start links to allow you to view the results. We'd be happy to work with projects to make the results available from a continuous build:

FindBugs update checks

FindBugs now checks to see if a new version of FindBugs or a plugin has been released. We make use of this check to collect statistics on the operating system, java version, locale and FindBugs entry point (e.g., ant, command line, GUI). More information is available, including information about how to disable update checks if your organization has a policy against allowing the collection of such information. No information about the code being analyzed is reported.


FindBugs 2.0 makes it much easier to customize FindBugs with plugins.

FindBugs looks for plugins in two places: your personal home directory, and in FindBugs home (plugins installed in your home directory take precedence). In both places, it looks in two places: the plugin directory, which contains plugins that are enabled by default, and the optionalPlugin directory, which contains plugins that are disabled by default but can be enabled for a particular project.

The FindBugs project includes several plugins:

  • Cloud plugins: These plugins provide ways to persist and share information about issues seen in an analysis (e.g., when was this issue first seen, and any evaluations as to whether this is harmless or a must fix issue, as well as comments about the issue from developers)
    • bugCollectionCloud - stores issue evaluations in the XML. The way issue evaluations were always stored before FindBugs 2.0. Distributed in the optionalPlugin directory.
    • findbugsCommunalCloud Stores issue evaluations in the communal cloud hosted at Distributed in the plugin directory.
    • jdbcCloudClient an older, deprecated cloud that stored information in an SQL database. Not distributed, most be built from source.
  • noUpdateChecks - Disables checks for updated versions and usage counting. Distributed in the optionalPlugin directory.
  • poweruser - provides a number of additional commands for the fb command. It is believed most of these commands are used by few people outside of the FindBugs development team. Distributed in the optionalPlugin directory.
  • Bug filing plugins: these plugins assist in the filing of FindBugs issues in built trackers. The bug filing framework is designed to be extensible to other bug filing systems. At the moment, these plugins are not supported, and must be built from source.
    • jira
    • google code

Performance Improvements/regressions

In our own testing, we've seen an overall improvement of 9% in FindBugs performance from 1.3.9 to 2.0.0, with the majority of benchmarks seeing improvements. A few users have reported significant performance regressions and we are asking for more information from anyone seeing significant performance regressions.

New Bug patterns