SpotBugs is a program to find bugs in Java programs. It looks for instances of “bug patterns” — code instances that are likely to be errors. It uses static analysis to look for bugs in Java code. SpotBugs checks for more than 400 bug patterns. Bug descriptions can be found here. It is free software, distributed under the terms of the GNU Lesser General Public License.
SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9. SpotBugs is platform independent, and is known to run on GNU/Linux, Windows, and MacOS X platforms. You should have at least 512 MB of memory to use SpotBugs. To analyze very large projects, more memory may be needed.
SpotBugs can be used with a variety of tools (Ant,Maven,Geadle) and IDE’s (Eclipse,IntelliJ). SpotBugs is extensible. New detectors can be added through plugins. Popular SpotBugs plugins include:
- fb-contrib: plugin for java bug detectors that fall outside the narrow scope of detectors to be packaged with the product itself.
- find-sec-bugs: plugin for security audits of Java web applications.It can detect 128 different vulnerability types with over 807 unique API signatures. Covers popular frameworks including Spring-MVC, Struts, Tapestry and many more. Extensive references are given for each bug patterns with references to OWASP Top 10 and CWE.