Configure spotbugs

CHANGELOG.md

@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased] - 2023-07-28
+## [Unreleased] - 2023-08-04
 
 ### Added
 
@@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Dependencies
 
 ### CI/CD
+* Integrated SpotBugs into build process.
+* Integrated Find Security Bugs into build process.
 
 ### Other
 

README.md

@@ -82,6 +82,15 @@ To include generation of a code coverage report during the build,
 execute `mvn package -Pcoverage` at the root of the repository to 
 enable a Maven profile that executes JaCoCo during the test phase.
 
+To run all static analysis tools (i.e., SpotBugs, Find Security Bugs, 
+refactor-first), execute `mvn package -Panalysis` to enable a Maven 
+profile that executes the various static analysis tools that we are 
+using. The SpotBugs html report will be found in the `target` directory, 
+or you can use the SpotBugs GUI with: `mvn spotbugs:gui -Panalysis`. The 
+refactor-first report will be found in the `target/site` directory.
+
+To run all of the above: `mvn package -P "analysis,coverage"`.
+
 ## Example Programs
 
 There are several example programs available in a separate repository:

pom.xml

@@ -182,7 +182,7 @@
 			</build>
 		</profile>
 		<profile>
-			<id>refactor</id>
+			<id>analysis</id>
 			<build>
 				<plugins>
 					<plugin>
@@ -202,6 +202,30 @@
 							</execution>
 						</executions>
 					</plugin>
+					<plugin>
+						<groupId>com.github.spotbugs</groupId>
+						<artifactId>spotbugs-maven-plugin</artifactId>
+						<version>4.7.3.5</version>
+						<configuration>
+							<htmlOutput>true</htmlOutput>
+							<excludeFilterFile>${session.executionRootDirectory}/spotbugs-exclude.xml</excludeFilterFile>
+							<plugins>
+								<plugin>
+									<groupId>com.h3xstream.findsecbugs</groupId>
+									<artifactId>findsecbugs-plugin</artifactId>
+									<version>1.12.0</version>
+								</plugin>
+							</plugins>
+						</configuration>
+						<executions>
+							<execution>
+								<phase>test</phase>
+								<goals>
+									<goal>spotbugs</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
 				</plugins>
 			</build>
 		</profile>

spotbugs-exclude.xml

@@ -0,0 +1,14 @@
+<FindBugsFilter>
+  <!-- Methods for reading/writing instance files, filename responsibility of caller. -->
+  <Match>
+    <Bug code="SECPTI,SECPTO" />
+	<Package name="org.cicirello.search.problems.scheduling" />
+  </Match>
+
+  <!-- False positive exposed representation -->
+  <Match>
+    <Bug pattern="EI_EXPOSE_REP" />
+	<Class name="org.cicirello.search.concurrent.TimedParallelMultistarter" />
+	<Method name="getSearchHistory" />
+  </Match>
+</FindBugsFilter>