@GOOGLE_ANALYTICS@ @HTML_SIDEBAR@

FindBugs logo UMD logo Fortify logo

FindBugs™ - Find Bugs in Java Programs

This is the web page for FindBugs, a program which uses static analysis to look for bugs in Java code.  It is free software, distributed under the terms of the Lesser GNU Public License. The name FindBugs™ and the FindBugs logo are trademarked by The University of Maryland. FindBugs is sponsored by Fortify Software. As of December, 2007, FindBugs has been downloaded more than half a million times.

FindBugs requires JRE (or JDK) 1.5.0 or later to run.  However, it can analyze programs compiled for any version of Java. The current version of FindBugs is @VERSION@, released on @RELEASE_DATE@. We are very interested in getting feedback on how to improve FindBugs.

We would like to better understand how FindBugs is used, and particularly how it is integrated into software development processes at different organizations. We have created a 10-20 minute survey to capture some of these trends. Participants can also choose to enter a drawing to win FindBugs Swag from Bill Pugh.

To take the survey, visit http://www.cs.umd.edu/projects/PL/surveys/findbugs

For more information, visit the Project Website.

More | Output | Try | Changes | Talks | Papers | Sponsors | Support

Additional open source projects

The following software is being made available by the University of Maryland and the FindBugs project. The software is still preliminary, and needs volunteers to help mature it.

  • Multithreaded test case, a framework designed to make it easy to create test cases for concurrent software in which multiple threads must coordindate their activity to perform a test (e.g., testing a concurrent blocking queue, with one thread that blocks when it trys to add to a full queue, and another thread that unblocks the first by removing an element).
  • Checked uncontended lock, an implementation of the Java 5 Lock and ReadWriteLock interfaces that throw exceptions if they detect lock contention. These locks are designed to be used for debugging, and can be used in places where you don't believe you need to use a lock but want to verify that at runtime.

Sample output

As an example of the kind of issues FindBugs can identify, we provide our results on the Sun's JDK 7, Eclipse, Netbeans, Glassfish and JBoss. We present these results as a table showing the number of warnings we generate, an html report generated by FindBugs, and using a Java Webstart demo of FindBugs that loads the results of our analysis and the relevant source, so that you can view the source corresponding to each of our warnings and judge for yourself the accuracy of Findbugs.

Briefly, this table gives the number of warnings we found in various applications we use as benchmarks:

ApplicationDetailsCorrectness bugsBad PracticeDodgyKNCSS
HTMLWebStartNP bugsOther
Sun JDK 1.7.0-b12 All All Small 68180954654597
eclipse-SDK-3.3M7-solaris-gtk All All Small 1462591,0796431,447
netbeans-6_0-m8 All All Small 1893053,0101,1121,022
glassfish-v2-b43 All All Small 1461549641,2222,176
jboss-4.0.5 All All Small 3057263214178

KNCSS - Thousands of lines of non-commenting source statements

Try FindBugs now on your project!

Using Java Web Start you can try the GUI version of FindBugs now on your project. As long as you have a 1.4 or better JRE installed, you can run FindBugs now. If you are using Java 1.5 or later, you will see the new GUI that we wrote over the summer.

Change history

The current version of FindBugs is s @VERSION@. Changes since version 1.3.0:

Changes since version 1.3.1

  • FindBugs base
    • New Bug Category:
      • SECURITY (Abbrev: S), A use of untrusted input in a way that could create a remotely exploitable security vulnerability
    • New Detectors:
      • CrossSiteScripting: This detector looks for obvious/blatent cases of cross site scripting vulnerabilities
    • New BugCode:
      • XSS: Cross site scripting
    • New Reports:
      • XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP parameter directly written to Servlet output, giving XSS vulnerability
      • XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter directly written to JSP output, giving XSS vulnerability
      • EQ_OTHER_USE_OBJECT: equals() method defined that doesn't override Object.equals(Object)
      • EQ_OTHER_NO_OBJECT: equals() method inherits rather than overrides equals(Object)
      • NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible null pointer dereference on path that might be infeasible
    • Other:
      • Added -noClassOk command-line parameter to command-line and ant interfaces; when -noClassOk is specified and no classfiles are given, FindBugs will print a warning message and output a well- formed file with no warnings
      • Fewer false positives for null pointer bugs
      • Suppress dead-local-store false positives in .jsp code
      • Type fixes in warning messages
      • Better warning message for NP_NULL_ON_SOME_PATH
      • "WMI" bug code description renamed from "Wrong Map Iterator" to "Inefficient Map Iterator"
    • Fixes:
      • [ 1893048 ] FindBugs confused by a findbugs.xml file
      • [ 1878528 ] XSL xforms don't support history features
      • [ 1876584 ] two default.xsl flaws
      • [ 1874856 ] Format string bug detector doesn't handle special operators
      • [ 1872645 ] computeBugHistory - java.lang.IllegalArgumentException
      • [ 1872237 ] Ant task fails when no .class files
      • [ 1868670 ] Filters: include AND exclude don't allowed
      • [ 1868666 ] check-for-oddness reported, but array length can never be negative
      • [ 1866108 ] SetBugDatabaseInfoTask strips dir from output filename
      • [ 1866021 ] MineBugHistoryTask strips dir of output filename
      • [ 1865265 ] code doesn't handle StringBuffer.append([CII) right
      • [ 1864793 ] Warning when casting a null reference compared to a String
      • [ 1863376 ] Typo in manual chap 8: Filter Files
      • [ 1862705 ] Transient fields that default to null
      • [ 1842545 ] DLS on catch variable (with priority tweaking)
      • [ 1816258 ] false positive BC_IMPOSSIBLE_CAST
      • [ 1551732 ] Get erroneous DLS with while loop
  • FindBugs Eclipse plugin (change log by Andrei Loskutov)
    • new feature: added Bug explorer view (replacing Bug tree view), based on Common Navigator framework (Andrei Loskutov)
    • bug 1873860 fixed: empty projects are no longer shown in Bug tree view (Andrei Loskutov)
    • new feature: bug counts decorators for projects, folders and files (has to be activated via Preferences -> general -> appearance -> label decorations)(Andrei Loskutov)
    • patch 1746499: better icons (Alessandro Nistico)
    • patch 1893685: Find bug actions on change sets bug (Alessandro Nistico)
    • fixed bug 1855384: Bug configuration is broken in Eclipse (Andrei Loskutov)
    • refactored FindBugs properties page (Andrei Loskutov)
    • refactored FindBugs worker/builder/run action (Andrei Loskutov)
    • FB detects now only bugs from classes on project's classpath (no double work on duplicated class files) (Andrei Loskutov)
    • fixed bug introduced by the bad patch for 1867951: FB cannot be executed incrementally on a folder of file (Andrei Loskutov)
    • fixed job rule: now jobs for different projects may run in parallel if running on a multi-core PC and "fb.allowParallelBuild" system property is set to true (Andrei Loskutov)
    • fixed FB auto-build not started if .fbprefs or .classpath was changed (Andrei Loskutov)
    • fixed not reporting bugs on secondary types (classes defined in java files with different name) (Andrei Loskutov)

Older versions...

Talks about FindBugs

Papers about FindBugs

Sponsors

Financial support for the open source FindBugs project is provided by our sponsors, Fortify Software

Fortify Software sells security tools, including Fortify Source Code Analysis, which which uses static analysis to search for security vulnerabilities (much as FindBugs uses static analysis to look for general code quality problems. FindBugs is integrated into Fortify's tools, providing an integrated tool set to look for and audit both security and quality problems (press release).

Fortify Software now provides Java Open Review, a free analysis and on-line reviewing service to selected open source projects. This provides analysis for both correctness issues identified by FindBugs and security issues (such as SQL injection and Cross-site scripting identified by Fortify's Source Code Analysis, and provides a on-line auditing and commenting facility for contributors of each project. Defect warnings are not visible to the general public, only to contributors of each project. There is a place on the web page where you can request that your project be included in the set of projects reviewed.

Additional Support

YourKit is kindly supporting open source projects with its full-featured Java Profiler. YourKit, LLC is creator of innovative and intelligent tools for profiling Java and .NET applications. Take a look at YourKit's leading software products: YourKit Java Profiler and YourKit .NET Profiler.

The FindBugs project also uses FishEye and Clover, which are generously provided by Cenqua/Atlassian.

Additional financial support for the FindBugs project has been provided by Google, Sun Microsystems, National Science Foundation grants ASC9720199 and CCR-0098162, and by a 2004 IBM Eclipse Innovation award.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF). @HTML_FOOTER@