07 July 2014

SonarQube, FindBugs and Java 8

This post describes how to patch SonarQube to make the FindBugs plugin analyze Java 8 code.


We start with an official installation of SonarQube 4.3.2 with Sonar Java 2.3. The Sonar Findbugs plugin uses findbugs 2.0.3. This version uses ASM 3.3 for byte code analysis, but Java 8 requires ASM 5.0.x.

FindBugs snapshots have been using ASM 5.0.2 for a while, and a Java 8 compliant FindBugs 3.0.0 release has now been published, but the artifacts are not yet available in Maven Central or any other Maven repository.

In fact, the FindBugs Maven build process is not quite clean, relying on a local snapshot of an external dependency (Apache BCEL).

Thus, for patching SonarQube, we need to do a clean Maven build of FindBugs, then build sonar-findbugs with this updated dependency and finally overwrite the sonar-findbugs plugin in our SonarQube installation.

Whenever patching third-party Maven artifacts, I use a project or company suffix on the version identifiers, e.g. -eos-1, to distinguish my patches from official releases.

Building FindBugs

git clone https://code.google.com/p/findbugs
cd findbugs/findbugs
mvn install:install-file -Dfile=lib/bcel-6.0-SNAPSHOT.jar -DgroupId=com.google.code.findbugs -DartifactId=bcel -Dversion=6.0-eos-1 -Dpackaging=jar

Then edit pom.xml, setting the version to 3.0.0-eos-1 and replacing the bcel dependency version 6.0-SNAPSHOT by 6.0-eos-1.

Now build and install FindBugs 3.0.0-eos-1 to your local repo:

mvn clean install

Building sonar-findbugs

git clone https://github.com/SonarSource/sonar-findbugs.git
cd sonar-findbugs

Edit pom.xml, set findbugs.version to 3.0.0-eos-1 and maxsize in the maven-enforcer-plugin rules to 6000000.

Now build and install sonar-findbugs 2.4-SNAPHOT in your local repository:

mvn clean install

Install the patched plugin

  • Stop your SonarQube server.
  • Go to SONARQUBE_HOME/extensions/plugins and replace sonar-findbugs-plugin-2.3.jar by sonar-findbugs-plugin-2.4-SNAPSHOT.jar
  • Restart your SonarQube server and run a FindBugs analysis under Java 8.

Download patched plugin

You can download the patched plugin from DropBox.


Use these instructions at your own risk.

1 comment:

Unknown said...

Your procedure looked promising but, once the patch is installed in SonarQube, it won't start:

com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Duplicate entry 'findbugs-IKNC_INCONSISTENT_HTTP_ATTRIBUTE_CASING' for key 'rules_repo_key'

There are some FB rules active in my profile.