FindBugs
 
Docs and Info
Demo and data
Users and supporters
FindBugs blog
Fact sheet
Manual (en)
Manual (ja)
FAQ
Bug descriptions
Mailing lists
Documents and Publications
Links
 
Downloads
 
FindBugs Swag
 
Development
Reporting bugs
Contributing
Dev team
API [no frames]
Change log
SF project page
Browse source

FindBugs logo UMD logo Fortify logo

FindBugs™ - Find Bugs in Java Programs

This is the web page for FindBugs, a program which uses static analysis to look for bugs in Java code.  It is free software, distributed under the terms of the Lesser GNU Public License. The name FindBugs™ and the FindBugs logo are trademarked by The University of Maryland. FindBugs is sponsored by Fortify Software. As of December, 2007, FindBugs has been downloaded more than half a million times.

FindBugs requires JRE (or JDK) 1.5.0 or later to run.  However, it can analyze programs compiled for any version of Java. The current version of FindBugs is 1.3.4, released on 18:06:17 EDT, 06 May, 2008. We are very interested in getting feedback on how to improve FindBugs.

We would like to better understand how FindBugs is used, and particularly how it is integrated into software development processes at different organizations. We have created a 10-20 minute survey to capture some of these trends. Participants can also choose to enter a drawing to win FindBugs Swag from Bill Pugh.

To take the survey, visit http://www.cs.umd.edu/projects/PL/surveys/findbugs

For more information, visit the Project Website.

More | Output | Try | Changes | Talks | Papers | Sponsors | Support

Additional open source projects

The following software is being made available by the University of Maryland and the FindBugs project. The software is still preliminary, and needs volunteers to help mature it.

  • Multithreaded test case, a framework designed to make it easy to create test cases for concurrent software in which multiple threads must coordindate their activity to perform a test (e.g., testing a concurrent blocking queue, with one thread that blocks when it trys to add to a full queue, and another thread that unblocks the first by removing an element).
  • Checked uncontended lock, an implementation of the Java 5 Lock and ReadWriteLock interfaces that throw exceptions if they detect lock contention. These locks are designed to be used for debugging, and can be used in places where you don't believe you need to use a lock but want to verify that at runtime.

Sample output

As an example of the kind of issues FindBugs can identify, we provide our results on the Sun's JDK 7, Eclipse, Netbeans, Glassfish and JBoss. We present these results as a table showing the number of warnings we generate, an html report generated by FindBugs, and using a Java Webstart demo of FindBugs that loads the results of our analysis and the relevant source, so that you can view the source corresponding to each of our warnings and judge for yourself the accuracy of Findbugs.

Briefly, this table gives the number of warnings we found in various applications we use as benchmarks:

ApplicationDetailsCorrectness bugsBad PracticeDodgyKNCSS
HTMLWebStartNP bugsOther
Sun JDK 1.7.0-b12 All All Small 68180954654597
eclipse-SDK-3.3M7-solaris-gtk All All Small 1462591,0796431,447
netbeans-6_0-m8 All All Small 1893053,0101,1121,022
glassfish-v2-b43 All All Small 1461549641,2222,176
jboss-4.0.5 All All Small 3057263214178

KNCSS - Thousands of lines of non-commenting source statements

Try FindBugs now on your project!

Using Java Web Start you can try the GUI version of FindBugs now on your project. As long as you have a 1.4 or better JRE installed, you can run FindBugs now. If you are using Java 1.5 or later, you will see the new GUI that we wrote over the summer.

Change history

The current version of FindBugs is s 1.3.4.

Changes since version 1.3.3

  • FindBugs base
    • New Reports:
      • EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method overrides equals in superclass and may not be symmetric
      • EQ_ALWAYS_TRUE: equals method always returns true
      • EQ_ALWAYS_FALSE: equals method always returns false
      • EQ_COMPARING_CLASS_NAMES: equals method compares class names rather than class objects
      • EQ_UNUSUAL: Unusual equals method
      • EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails for subtypes
      • SE_READ_RESOLVE_IS_STATIC: The readResolve method must not be declared as a static method.
      • SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private readResolve method not inherited by subclasses
      • MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field
      • XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected cross site scripting vulnerability
      • SKIPPED_CLASS_TOO_BIG: Class too big for analysis
    • Other:
      • Value-number analysis now more space-efficient
      • Enhancements to reduce memory overhead when analyzing very large classes
      • Now skips very large classes that would otherwise take too much time and memory to analyze
      • Infrastructure for tracking effectively-constant/ effectively-final fields
      • Added more cweids
      • Enhanced taint tracking for taint-based detectors
      • Ignore doomed calls to equals if result is used as an argument to assertFalse
      • EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo
      • Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG (only low priority if multiplying by 1000)
      • Improved tracking of fields across method calls
    • Fixes:
      • [ 1941450 ] DLS_DEAD_LOCAL_STORE not reported
      • [ 1953323 ] Omitted break statement in SynchronizeAndNullCheckField
      • [ 1942620 ] Source Directories selection dialog interface confusion (partial)
      • [ 1948275 ] Unhelpful "Load of known null"
      • [ 1933922 ] MWM error in findbugs
      • [ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP still specifies 1.5
      • [ 1933945 ] -loadbugs doesn't work
      • Fixed problems for class names starting with '$'
      • Fixed bugs and incomplete handling of annotations in VersionInsensitiveBugComparator
    • Patches:
      • [ 1955106 ] Javadoc fixes
      • [ 1951930 ] Superfluous import statements (thanks to Jerry James)
      • [ 1951907 ] Missing @Deprecated annotations (thanks to Jerry James)
      • [ 1951876 ] Infonode Docking Windows compile fix (thanks to Jerry James)
      • [ 1936055 ] bugfix for findbugs.de.comment not working (thanks to Peter Fokkinga)
  • FindBugs BlueJ plugin
    • Updated to use FindBugs 1.3.4 (first new release since 1.1.3)

Older versions...

Talks about FindBugs

Papers about FindBugs

Sponsors

Financial support for the open source FindBugs project is provided by our sponsors, Fortify Software

Fortify Software sells security tools, including Fortify Source Code Analysis, which which uses static analysis to search for security vulnerabilities (much as FindBugs uses static analysis to look for general code quality problems. FindBugs is integrated into Fortify's tools, providing an integrated tool set to look for and audit both security and quality problems (press release).

Fortify Software now provides Java Open Review, a free analysis and on-line reviewing service to selected open source projects. This provides analysis for both correctness issues identified by FindBugs and security issues (such as SQL injection and Cross-site scripting identified by Fortify's Source Code Analysis, and provides a on-line auditing and commenting facility for contributors of each project. Defect warnings are not visible to the general public, only to contributors of each project. There is a place on the web page where you can request that your project be included in the set of projects reviewed.

Additional Support

YourKit is kindly supporting open source projects with its full-featured Java Profiler. YourKit, LLC is creator of innovative and intelligent tools for profiling Java and .NET applications. Take a look at YourKit's leading software products: YourKit Java Profiler and YourKit .NET Profiler.

The FindBugs project also uses FishEye and Clover, which are generously provided by Cenqua/Atlassian.

Additional financial support for the FindBugs project has been provided by Google, Sun Microsystems, National Science Foundation grants ASC9720199 and CCR-0098162, and by a 2004 IBM Eclipse Innovation award.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).

Send comments to findbugs@cs.umd.edu

SourceForge.net Logo