其他分享
首页 > 其他分享> > Findbugs 用法

Findbugs 用法

作者:互联网

http://findbugs.sourceforge.net/eclipse/

CLI Tutorial

Download

Get from the latest release the package including the tool.

The content should look like this:

> unzip findsecbugs-cli.zip
> cd findsecbugs-cli
> ls
findsecbugs.bat	findsecbugs.sh	include.xml	lib

Simple example of usage

> findsecbugs.bat -high C:\Java\jenkins\WEB-INF\lib\remoting-2.53.jar
H S CIPINT: The cipher does not provide data integrity  At HandshakeCiphers.java:[line 111]
H S CIPINT: The cipher does not provide data integrity  At HandshakeCiphers.java:[line 113]
H S CIPINT: The cipher does not provide data integrity  At ChannelCiphers.java:[line 89]
H S CIPINT: The cipher does not provide data integrity  At ChannelCiphers.java:[line 91]
H S SECOBDES: Object deserialization is used in hudson.remoting.Capability.read(InputStream)  At Capability.java:[line 139]
H S SECOBDES: Object deserialization is used in hudson.remoting.Command.readFrom(Channel, ObjectInputStream)  At Command.java:[line 92]
H S SECOBDES: Object deserialization is used in hudson.remoting.UserRequest.deserialize(Channel, byte[], ClassLoader)  At UserRequest.java:[line 184]
H S SECOBDES: Object deserialization is used in hudson.remoting.RemoteInputStream.readObject(ObjectInputStream)  At RemoteInputStream.java:[line 179]
H S SECOBDES: Object deserialization is used in hudson.remoting.ClassLoaderHolder.readObject(ObjectInputStream)  At ClassLoaderHolder.java:[line 35]
H S CIPINT: The cipher does not provide data integrity  At Launcher.java:[line 289]
H S SECPTI: File(...) reads a file whose location might be specified by user input  At CmdLineParser.java:[line 552]

HTML report

The following command will redirect all the result in a HTML report.

> findsecbugs.bat -progress -html -output report.htm C:\Java\jenkins\WEB-INF\lib\remoting-2.53.jar
Scanning archives (1 / 1)
2 analysis passes to perform
Pass 1: Analyzing classes (1010 / 1010) - 100% complete
Pass 2: Analyzing classes (349 / 349) - 100% complete
Done with analysis

Scanning multiple jars

On linux:

> find /some/application/ -name \*.jar > libs.txt
> cat libs.txt | findsecbugs.sh -xargs -progress -html -output report.htm
 
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete

On Windows:

> dir "C:/Some/Application/" /s /b  | findstr \.jar$ > libs.txt
> cat libs.txt | findsecbugs.bat -xargs -progress -html -output report.htm
 
Scanning archives (156 / 156)
2 analysis passes to perform
Pass 1: Analyzing classes (16922 / 48118) - 35% complete

Additional arguments

To see the available option use the argument -help.

> findsecbugs

No files to be analyzed
Usage: findbugs [general options] -textui [command line options...] [jar/zip/class files, directories...]
General options:
  -jvmArgs args    Pass args to JVM
  -maxHeap size    Maximum Java heap size in megabytes (default=768)
  -javahome <dir>  Specify location of JRE
  General FindBugs options:
    -project <project>                       analyze given project
    -home <home directory>                   specify FindBugs home directory
    -pluginList <jar1[;jar2...]>             specify list of plugin Jar files to load
    -effort[:min|less|default|more|max]      set analysis effort level
    -adjustExperimental                      lower priority of experimental Bug Patterns
    -workHard                                ensure analysis effort is at least 'default'
    -conserveSpace                           same as -effort:min (for backward compatibility)
    -showPlugins                             show list of available detector plugins
    -userPrefs <filename>                    user preferences file, e.g /path/to/project/.settings/edu.umd.cs.findbugs.core.prefs for Eclipse projects
  Output options:
    -timestampNow                            set timestamp of results to be current time
    -quiet                                   suppress error messages
    -longBugCodes                            report long bug codes
    -progress                                display progress in terminal window
    -release <release name>                  set the release name of the analyzed application
    -experimental                            report of any confidence level including experimental bug patterns
    -low                                     report warnings of any confidence level
    -medium                                  report only medium and high confidence warnings [default]

    -high                                    report only high confidence warnings
    -maxRank <rank>                          only report issues with a bug rank at least as scary as that provided
    -dontCombineWarnings                     Don't combine warnings that differ only in line number
    -sortByClass                             sort warnings by class
    -xml[:withMessages]                      XML output (optionally with messages)
    -xdocs                                   xdoc XML output to use with Apache Maven
    -html[:stylesheet]                       Generate HTML output (default stylesheet is default.xsl)
    -emacs                                   Use emacs reporting format
    -relaxed                                 Relaxed reporting mode (more false positives!)
    -train[:outputDir]                       Save training data (experimental); output dir defaults to '.'
    -useTraining[:inputDir]                  Use training data (experimental); input dir defaults to '.'
    -redoAnalysis <filename>                 Redo analysis using configureation from previous analysis

    -sourceInfo <filename>                   Specify source info file (line numbers for fields/classes)
    -projectName <project name>              Descriptive name of project
    -reanalyze <filename>                    redo analysis in provided file
    -output <filename>                       Save output in named file
    -nested[:true|false]                     analyze nested jar/zip archives (default=true)
  Output filtering options:
    -bugCategories <cat1[,cat2...]>          only report bugs in given categories
    -onlyAnalyze <classes/packages>          only analyze given classes and packages; end with .* to indicate classes in a package, .- to indicate a package prefix
    -excludeBugs <baseline bugs>             exclude bugs that are also reported in the baseline xml output
    -exclude <filter file>                   exclude bugs matching given filter
    -include <filter file>                   include only bugs matching given filter
    -applySuppression                        Exclude any bugs that match suppression filter loaded from fbp file
  Detector (visitor) configuration options:
    -visitors <v1[,v2...]>                   run only named visitors
    -omitVisitors <v1[,v2...]>               omit named visitors
    -chooseVisitors <+v1,-v2,...>            selectively enable/disable detectors
    -choosePlugins <+p1,-p2,...>             selectively enable/disable plugins
    -adjustPriority <v1=(raise|lower)[,...]> raise/lower priority of warnings for given visitor(s)
  Project configuration options:
    -auxclasspath <classpath>                set aux classpath for analysis
    -auxclasspathFromInput                   read aux classpath from standard input
    -auxclasspathFromFile <filepath>         read aux classpaths from a designated file
    -sourcepath <source path>                set source path for analyzed classes
    -exitcode                                set exit code of process
    -noClassOk                               output empty warning file if no classes are specified
    -xargs                                   get list of classfiles/jarfiles from standard input rather than command line
    -analyzeFromFile <filepath>              get the list of class/jar files from a designated file
    -cloud <id>                              set cloud id
    -cloudProperty <key=value>               set cloud property
    -bugReporters <name,name2,-name3>        bug reporter decorators to explicitly enable/disable
    -printConfiguration                      print configuration and exit, without running analysis
    -version                                 print version, check for updates and exit, without running analysis

More information

To get more information, visit FindBugs official documentation. http://findbugs.sourceforge.net/manual/running.html

Using Find Security Bugs on a large number of jars: http://blog.h3xstream.com/2016/01/deserialization-vulnerability.html

标签:java,analysis,用法,classes,report,output,line,Findbugs
来源: https://www.cnblogs.com/macter/p/16215268.html