FindBugs v2 Released

FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns.

A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons:

Difficult language features
Misunderstood API methods
Misunderstood invariants when code is modified during maintenance
Garden variety mistakes: typos, use of the wrong boolean operator

FindBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns. Static analysis means that FindBugs can find bugs by simply inspecting a program’s code: executing the program is not necessary. This makes FindBugs very easy to use: in general, you should be able to use it to look for bugs in your code within a few minutes of downloading it. FindBugs works by analyzing Java bytecode (compiled class files), so you don’t even need the program’s source code to use it. Because its analysis is sometimes imprecise, FindBugs can report false warnings, which are warnings that do not indicate real errors. In practice, the rate of false warnings reported by FindBugs is less than 50%.

FindBugs supports a plugin architecture allowing anyone to add new bug detectors. The publications page contains links to articles describing how to write a new detector for FindBugs. If you are familiar with Java bytecode you can write a new FindBugs detector in as little as a few minutes.

The major new features in FindBug 2 are as follows:

Bug Rank – bugs are given a rank 1-20, and grouped into the categories scariest (rank 1-4), scary (rank 5-9), troubling (rank 10-14), and of concern (rank 15-20).
- priority renamed confidence – many people were confused by the priority reported by FindBugs, and considered all HIGH priority issues to be important. To reflect the actually meaning of this attribute of issues, it has been renamed confidence. Issues of different bug patterns should be compared by there rank, not their confidence.
Cloud storage – having a convent way for developers to share information about when an issue was first seen, and whether it is believed to be a serious problem, is important to successful and cost-effective deployment of static analysis in a large software project.
update checks – FindBugs will check for releases of new versions of FindBugs. Note: we leverage this capability to count the number of FindBugs users. These update checks can easily be disabled.
Plugins – FindBugs 2.0 makes it much easier to define plugins that provide various capabilities, and install these plugins either on a per user or per installation basis.
fb command – rather than using the rather haphazard collection of command line scripts developed over the years for running various FindBugs commands.
New bug patterns and detectors, and improved accuracy
Improved performance: overall, we’ve seen an average 10% performance improvement over a large range of benchmarks, although a few users have experienced performance regressions we are still trying to understand.
Guava support – working with Kevin Bourrillion, we have provided additional support for the Guava library, recognizing many common misuse patterns.
JSR-305 support – improved detection of problems identified by JSR-305 annotations. In particular, we’ve significantly improved both the accuracy and performance of the analysis of type qualifiers.