SpotBugs — Static Analysis to Find Bugs in Java Code

Introduction

SpotBugs is the successor to FindBugs, performing static analysis on compiled Java bytecode to detect real bugs. Unlike style checkers that examine source code, SpotBugs analyzes .class files to find null dereferences, infinite recursive loops, resource leaks, and concurrency issues that cause runtime failures.

What SpotBugs Does

• Analyzes compiled Java bytecode (.class and .jar files) for over 400 bug patterns
• Detects null pointer dereferences, resource leaks, and thread safety violations
• Classifies findings by category: correctness, bad practice, performance, security, and multithreading
• Provides a Swing-based GUI for interactive bug exploration
• Integrates with Maven, Gradle, Ant, and Eclipse/IntelliJ plugins

Architecture Overview

SpotBugs loads compiled Java class files and builds a control flow graph and data flow analysis for each method. Bug detectors are visitors that query the bytecode instructions, type hierarchy, and data flow facts. The analysis engine runs each detector over every class and method, collecting bug instances with confidence and priority rankings. Results are written to XML or displayed in the GUI.

Self-Hosting & Configuration

• Add the SpotBugs Maven or Gradle plugin to your build configuration
• Run mvn spotbugs:check or ./gradlew spotbugsMain to analyze compiled classes
• Create an exclude filter XML file to suppress false positives by bug pattern, class, or method
• Use the @SuppressFBWarnings annotation from the spotbugs-annotations artifact for inline suppression
• Configure the effort level (min, default, max) and report threshold (low, medium, high) to control sensitivity

Key Features

• Bytecode-level analysis that catches bugs invisible to source-level linters
• Over 400 bug detectors organized into categories like correctness, security, and performance
• FindSecBugs plugin adds 130+ security-focused detectors for OWASP vulnerabilities
• Confidence and priority rankings to help teams triage findings
• XML and SARIF output for CI pipeline integration and GitHub code scanning

Comparison with Similar Tools

• Error Prone — catches bugs at compile time in source code; SpotBugs analyzes bytecode post-compilation
• PMD — works on source code to find code smells; SpotBugs finds deeper runtime bug patterns in bytecode
• Checkstyle — enforces style conventions; SpotBugs focuses exclusively on correctness and security bugs
• FindBugs — the predecessor project that is no longer maintained; SpotBugs is the actively maintained fork

FAQ

Q: Does SpotBugs work with Kotlin or other JVM languages? A: SpotBugs analyzes JVM bytecode, so it can analyze compiled Kotlin, Groovy, or Scala classes. However, some detectors may produce false positives on non-Java bytecode patterns.

Q: How does SpotBugs differ from FindBugs? A: SpotBugs is the official successor that continues development after FindBugs was abandoned. It supports newer Java versions and includes additional bug detectors.

Q: Can I add security-focused analysis? A: Yes. Install the FindSecBugs plugin, which adds over 130 security detectors covering SQL injection, XSS, path traversal, and other OWASP Top 10 vulnerabilities.

Q: Does SpotBugs work with Java 21+ bytecode? A: Yes. SpotBugs regularly updates its bytecode parser to support the latest Java class file formats.

Sources

• https://github.com/spotbugs/spotbugs
• https://spotbugs.github.io/