Using SpotBugs and IntelliJ Plugins for Java Static Code Analysis

Recently I needed to perform Java static scanning locally because Jenkins permissions were revoked and Java code access was opened, so the previous Jenkins‑based findbugs plugin could no longer be used.

I looked for an IntelliJ plugin and found references to a FindBugs‑IDEA plugin, but it was not present in the IntelliJ plugin marketplace; instead I discovered a QAPlug - FindBugs plugin that appears to provide the same functionality.

Both plugins suffer from the same problem: they have not kept up with recent IntelliJ updates. The official information for FindBugs‑IDEA shows its last update was on 2016‑10‑17, making it unusable for current IntelliJ versions, and searches for findbugs or BUG in the marketplace return no results.

The QAPlug - FindBugs plugin was last maintained on 2018‑04‑23 and only supports compatibility up to IntelliJ IDEA 2018.1.1; newer IDE versions are not supported, so colleagues using newer IntelliJ releases must abandon it.

According to the official information for the two plugins, there are no recent upgrade or maintenance plans.

Consequently I turned to SpotBugs . The official description (excerpted below) states that the IntelliJ SpotBugs plugin provides static byte‑code analysis to find errors in Java code within IntelliJ IDEA. SpotBugs is a Java defect‑detection tool that uses static analysis to locate over 400 error patterns such as null‑pointer dereferences, infinite recursion, misuse of Java libraries, and deadlocks, and can identify hundreds of serious defects in large applications (roughly one defect per 1,000‑2,000 lines of non‑comment source code).

IntelliJ SpotBugs plugin provides static byte‑code analysis to find errors in Java code within IntelliJ IDEA . SpotBugs is a Java defect‑detection tool that uses static analysis to find more than 400 error patterns, such as null‑pointer dereferences, infinite recursion, library misuse, and deadlocks, and can identify hundreds of serious defects (approximately one defect per 1,000‑2,000 lines of non‑comment source code).

The installation method is the same as other IntelliJ plugins; a screenshot of the BUG view is shown below.

In the source code's left pane, different colored bugs indicate different severity levels. In my tests most findings were warnings; practical use requires fixing error messages first and then addressing the many suspicious issues.

The scan examined 155 classes files and found 143 BUG s.

IntelliJ plugin URLs mentioned in the article:

https://plugins.jetbrains.com/plugin/14014-spotbugs

https://plugins.jetbrains.com/plugin/4597-qaplug--findbugs

https://plugins.jetbrains.com/plugin/3847-findbugs-idea

Overall, the bugs detected by spotbugs were much more accurate than those found by findbugs , so SpotBugs has been promoted within the team.

The article concludes with a promotion of the FunTester public account and a list of selected hot articles, each linked to external resources.