I'm circling back to this discussion here on the dev list. I've gotten
findsecbugs integrated into several Jenkins projects, including Jenkins
itself. I pushed draft PRs demonstrating what it will look like in a
handful of plugins.
I put together information on my observation and recommendations for
developers when they start working with findsecbugs. My blog post is at
https://jenkins.io/blog/2020/03/02/findsecbugs/ and my Jenkins Online
Meetup recording is available at https://youtu.be/fotttu20Mf4 .
Now we're ready to start pushing findsecbugs integration more widely,
particularly into parent poms. StefanSpieker has had a PR for adding it
into the Jenkins parent pom since November:
https://github.com/jenkinsci/pom/pull/61 . It's time to get that moving
On 12/19/19 9:22 AM, Jeff Thompson wrote:
Yes, my goal is to also enable findsecbugs in the plugin parent pom. I
think it's well worth it, just as regular spotbugs provides valuable
findings in a number of cases.
I've currently got PRs awaiting review and approval for jenkins and
remoting. I've got one approval for remoting so I'll proceed to merge
that in before long.
I've also prepared branches for about half a dozen plugins where I've
added it into their local configuration. I have planned on pushing
My idea is to prove it out with a selected set of projects and then
work to roll it out more widely. I'm not sure how we want to proceed
with adding it into the plugin parent pom. I'd like to just make it a
standard part, but I think we might need to make it opt-in, such as
with a profile, at least for an introductory period.
Thanks for the response,
On 12/19/19 6:41 AM, Ullrich Hafner wrote:
If it helps to prevent some errors I think it would make sense to
enable it for plugins as well (in the parent pom). Can the execution
of this additional plugin be removed in a specific plugin pom
afterwards? I’m not sure how maven handles it.
I enabled the checker in my plugins and needed to disable it for
tests as there where too many false positives have been reported:
<Class name="~.*Test.*" />
Additionally, I deactivated the following rules that seem to produce
too many false positives:
<Bug pattern="DESERIALIZATION_GADGET, FORMAT_STRING_MANIPULATION,
Maybe it makes sense to gather feedback from some other plugins as
well before changing the parent pom.
You received this message because you are subscribed to the Google Groups "Jenkins
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit