I am trying to use spotbugs from maven.
In the <reporting/>
section of my POM, I include
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.5.3.0</version>
<configuration>
<includeFilterFile>spotbugs-security-include.xml</includeFilterFile>
<excludeFilterFile>spotbugs-security-exclude.xml</excludeFilterFile>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.11.0</version>
</plugin>
</plugins>
</configuration>
</plugin>
Where do I put the filter files spotbugs-security-include.xml
and spotbugs-security-exclude.xml
?
According to the documentation, the plugin will find the filter files on the classpath. But what is the classpath for executing a reporting plugin? And where in the source tree do I put the files in order to have them copied there during report generation? I have tried src/main/resources
, src/test/resources
, and src/site/resources
with no luck.
Log snippet:
[INFO] 6 reports detected for maven-javadoc-plugin:3.2.0: aggregate-no-fork, javadoc, javadoc-no-fork, test-aggregate-no-fork, test-javadoc, test-javadoc-no-fork
[INFO] configuring report plugin com.github.spotbugs:spotbugs-maven-plugin:4.5.3.0
[INFO] 1 report detected for spotbugs-maven-plugin:4.5.3.0: spotbugs
[INFO] configuring report plugin org.apache.maven.plugins:maven-project-info-reports-plugin:3.1.2
[INFO] 15 reports detected for maven-project-info-reports-plugin:3.1.2: ci-management, dependencies, dependency-info, dependency-management, distribution-management, index, issue-management, licenses, mailing-lists, modules, plugin-management, plugins, scm, summary, team
[INFO] Fork Value is true
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 25.587 s
[INFO] Finished at: 2022-02-11T15:31:56+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Could not find resource 'spotbugs-security-include.xml'. -> [Help 1]
I run under OpenJDK 11 on linux.
Your configuration is essentially instructing spotbugs-maven-plugin to search them in the project root, where the pom.xml is located.