Sian January wrote:
I think it would be really good to scan the classlib code. I spent some time last year fixing bugs found by FindBugs and although a lot of them were minor there were a handful of quite serious ones that were definitely worth the time spent. There is a fair amount of manual post-evaluation work, but surely it can't hurt to get the report and then fix the issues as and when people have time.
The key is to do as you did though, and document those "false positives" in a way that they are removed from subsequent analyses. There are a number of places in implementing the core class libraries themselves that require techniques which would be considered bad practice for application coding.
Regards, Tim
