How to spot Java bugs with SpotBugs

This article will introduce you to SpotBugs utility project that can assist you to spot Java “bug patterns” in your code which are likely to turn into runtime bugs.

Getting started with SpotBugs

Firstly, let’s see how SpotBugs works. This tool uses defines a set of Bug patterns that will be scanned in your code using Detectors. In turn, there are different Categories for each Bug pattern.

By default, SpotBugs searches for all Bug patterns in your code and includes all Categories. You can however choose to filter a set of Bug Patterns, a selection of Classes/methods in your project and a specific Category of Bug Patterns.

For example, you can choose to scan only a Specific Bug pattern such as the following, where an Exception is caught and not thrown

try {
} catch (Exception e) {
	// TODO Auto-generated catch block

On the other hand, you can choose to scan only Bug Patterns that belongs to the PERFORMANCE Category.

You can detect Bug patterns using Detectors. The list of detectors is available here:

Installing SpotBugs

In order to install SpotBugs you have multiple options: you can either download the latest release from GitHub:

When you install the project from the source, you will be able to invoke SpotBugs from the Command Line. For example:

java -jar $SPOTBUGS_HOME/lib/spotbugs.jar options...

On the other hand, you can also run SpotBugs as Maven / Gradle / Ant or Eclipse Plugin.

In the next part of this article, we will show how to use SpotBugs in a Maven project.

Using SpotBugs with Maven

In order to use this tool in a Maven project all you need is adding its Maven plugin into the reporting section of the pom.xml:


The reporting plugins will run in the Maven site goal. Therefore, you can run it as follows:

mvn compile site

Then, verify that the SpotBugs report is being generated in your Maven logs:

[INFO] Generating "SpotBugs" report      --- spotbugs-maven-plugin:

Finally, you will find the spotbugs.html report under the target/site folder of your project:

[francesco@fedora tamutils]$ tree target/site
├── css
├── dependencies.html
├── dependency-info.html
├── index.html
├── plugin-management.html
├── plugins.html
├── project-info.html
├── project-reports.html
├── spotbugs.html
└── summary.html

Open the SpotBugs HTML page to check the report for your project:

spotbugs tutorial

The HTML Reports contains the list of Classes included in the report grouped by Category.

Advanced Usage

In our basic example, SpotBugs will scan for all possible Bug Patterns across all categories. To introduce a filter to these options you can use an XML Filter file. For, example the following plugin configuration introduces an inclusion filter and an exclusion filter for your project:


For example, the following myfilter-include.xml defines a single Bug Pattern (“OS_OPEN_STREAM”: Method may fail to close stream ) which applies to the Class com.foobar.MyClass within its method writedataToFile:

<?xml version="1.0" encoding="UTF-8"?>
	  <Class name="com.foobar.MyClass" />
	  <Method name="writeDataToFile" />
	  <Bug pattern="OS_OPEN_STREAM" />

On the other hand, the following XML Filter file defines as matching filter all Bug Patterns in the PERFORMANCE category:

<?xml version="1.0" encoding="UTF-8"?>
	  <Bug category="PERFORMANCE" />

Installing SpotBugs Eclipse Plugin

Finally, we will mention how to install this tool as Eclipse Plugin. You can do it in two ways:

  1. Use the Help | Install new Software and add the SpotBugs Update Site Plugin
  2. From Eclipse Market Place, search for the plugin, as you can see from the following image:
java spotbugs example

After restarting Eclipse, you will be able to activate SpotBugs options on your Project. All you need to do, is right-clicking on your project. Then, choose the option, for example, Find Bugs:

java find bugs

SpotBugs will execute, and problem markers (displayed in source windows, and also in the Eclipse Problems view) will point to locations in your code which are potential instances of bug patterns.