Jump to: navigation, search

Security:secci

findsecbugs implementation

The following will enable a project for findsecbugs security auditing.

The following plugins must be installed on Jenkins:

  • FindBugs Plug-in
  • Maven Integration plugin


The following entry is required in the plugins section of the pom.xml of each project.

<plugin>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-maven-plugin</artifactId>
        <version>3.1.1</version>
        <configuration>
            <effort>Max</effort>
            <threshold>Low</threshold>
            <failOnError>true</failOnError>
            <includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
            <excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
            <plugins>
                 <plugin>
                       <groupId>com.h3xstream.findsecbugs</groupId>
                       <artifactId>findsecbugs-plugin</artifactId>
                       <version>LATEST</version> 
                 </plugin>
           </plugins>
        </configuration>
</plugin>

Create the following files and content in the projects root folder (same location as pom.xml):

  • spotbugs-security-include.xml
<FindBugsFilter>
   <Match>
       <Bug category="SECURITY"/>
   </Match>
</FindBugsFilter>
  • spotbugs-security-exclude.xml
<FindBugsFilter>
   <Match>
       <Bug category="SECURITY"/>
   </Match>
</FindBugsFilter>

Select 'Configure' for the Jenkins Maven Build job of any project and place the following goal:

Index.png

And the following 'Build Settings':

Index2.png

Now when you run a build, you should see the following findbugs result:

Index3.png

ToDo

  1. html reporting
  2. gerrit comment hook (display result in gerrit comments)
  3. voting rights?