2

Does anyone have a basic gradle file for gradle 5.X using the "old" form of plugin entry, that uses both spotbugs and find-security-bugs, and that, when ./gradlew clean build is run will execute both spot bugs and security bugs?

I can get spot bugs working (why did they rename it? how annoying) but cannot get the security bugs working.

bharal
  • 15,461
  • 36
  • 117
  • 195
  • I do not understand your problem. What do you mean by „old“ form? findsecbugs-plugin IS the spotbugs plugin so if spotbugs is working fine, there is no additional security bugs finder afaik. Can you clarify you problem? – Christian H. Kuhn Apr 25 '19 at 14:37
  • @ChristianH.Kuhn there are two ways to delineate plugins in a gradle file. Take the time to read the answer i posted and you will see which way I refer to as the "old" way. – bharal Apr 25 '19 at 14:42
  • @ChristianH.Kuhn also, findsecbugs is *not* part of spotbugs. You need first the spotbugs plugin, then the find sec bugs one. You can see my answer for the setup needed. – bharal Apr 25 '19 at 14:44
  • i read your answer, and that is exactly what i do myself. First, declare the spotbugs plugin in the plugins section. Then add findsecbugs as a dependency. At last, configure the SpotBugsTask. I don”t nothing about a newer way to do this, if that is the old way. findsecbugs-plugin is a dependency that is needet by spotbugs but is never called or configured manually. – Christian H. Kuhn Apr 25 '19 at 18:04
  • @ChristianH.Kuhn the old way is the way in which the plugin is declared in the gradle file - see https://plugins.gradle.org/plugin/com.github.spotbugs which shows two ways to include (in this case) the spotbugs plugin. We're using the "legacy" way, which afaik involves declaring in a dependencies section. – bharal Apr 25 '19 at 20:15
  • You are NOT doing it the „legacy“ way. The old way would be apply plugin: "com.github.spotbugs" instead of plugins { id "com.github.spotbugs" version... } This is the NEW way in gradle to load plugins. And with the new mechanism, as i found out, the dependency findsecbugs is not necessary to declare. – Christian H. Kuhn Apr 25 '19 at 20:50

1 Answers1

2

From this useful blog https://www.amolsolutions.com/insights/static-code-checks-for-security

plugins {

    id 'com.gradle.build-scan' version '1.12.1'

    id "com.github.spotbugs" version "1.6.2"

}

dependencies {

  ...

  spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1'

}

...

tasks.withType(com.github.spotbugs.SpotBugsTask) {

  reports {

    xml.enabled false

    html.enabled true

  }

}

You'll know it worked because a link "security" will appear in the section list.

bharal
  • 15,461
  • 36
  • 117
  • 195