Search code examples
mavenspotbugs

Using the spotbugs maven plugin, where do I put filter files?

I am trying to use spotbugs from maven. In the <reporting/> section of my POM, I include

      <plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>4.5.3.0</version>
        <configuration>
          <includeFilterFile>spotbugs-security-include.xml</includeFilterFile>
          <excludeFilterFile>spotbugs-security-exclude.xml</excludeFilterFile>
          <plugins>
            <plugin>
              <groupId>com.h3xstream.findsecbugs</groupId>
              <artifactId>findsecbugs-plugin</artifactId>
              <version>1.11.0</version>
            </plugin>
          </plugins>
        </configuration>
      </plugin>

Where do I put the filter files spotbugs-security-include.xml and spotbugs-security-exclude.xml? According to the documentation, the plugin will find the filter files on the classpath. But what is the classpath for executing a reporting plugin? And where in the source tree do I put the files in order to have them copied there during report generation? I have tried src/main/resources, src/test/resources, and src/site/resources with no luck.

Log snippet:

[INFO] 6 reports detected for maven-javadoc-plugin:3.2.0: aggregate-no-fork, javadoc, javadoc-no-fork, test-aggregate-no-fork, test-javadoc, test-javadoc-no-fork
[INFO] configuring report plugin com.github.spotbugs:spotbugs-maven-plugin:4.5.3.0
[INFO] 1 report detected for spotbugs-maven-plugin:4.5.3.0: spotbugs
[INFO] configuring report plugin org.apache.maven.plugins:maven-project-info-reports-plugin:3.1.2
[INFO] 15 reports detected for maven-project-info-reports-plugin:3.1.2: ci-management, dependencies, dependency-info, dependency-management, distribution-management, index, issue-management, licenses, mailing-lists, modules, plugin-management, plugins, scm, summary, team
[INFO] Fork Value is true
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  25.587 s
[INFO] Finished at: 2022-02-11T15:31:56+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Could not find resource 'spotbugs-security-include.xml'. -> [Help 1]

I run under OpenJDK 11 on linux.

Solution

  • Your configuration is essentially instructing spotbugs-maven-plugin to search them in the project root, where the pom.xml is located.