FindBugs

Basic Information
A static analysis tool to find bugs in Java programs developed at The University of Maryland.

Tool first release date
2003-12-03
Version release date
2015-03-06
Software cost
Free
Software license
GNU LGPL
Hosting
Self-Hosted
Supported operating systems
Linux, Windows
Process Integration
Deployment model
Workstation, CI Server
Analysis inputs
Pre-compiled binary
Display results in IDE
Eclipse, NetBeans
Pre-commit invocation from workstation
CI Integration
Jenkins
Can schedule scans
API method to report results in SARIF format
API method to report results in XML/JSON/CSV format
Coverage
Claimed CWE coverage notes
Checks for 423 bug patterns
Supported programming languages
Java
Claimed Weakness Coverage
Claimed Weakness Coverage information hasn't been collected yet for this analyzer.
Really want it? Let us know.
Checker Customization
Can disable checkers
Can customize checker logic
First-class API to create new checkers
Speed & Scalability
Parallelizes on one host
Parallelizes across more than one host
Scan duration times courtesy of the
BodgeIt Store v1.4.0
2 min 9 sec
Broadleaf Commerce v3.0.3
14 min 16 sec
hadoop v.1.1.2
16 min 59 sec
Jenkins v1.534
17 min 6 sec
JSP Wiki v2.5.139
4 min 12 sec
OWASP Benchmark v1.2beta
9 min 34 sec
scarab v1.0.22-RC1
5 min 17 sec
Web Application Vulnerability Scanner Evaluation Project v1.2
3 min 11 sec
WebGoat v5.4-1
5 min 29 sec
Yazd v1.0-swamp.1
3 min 10 sec
Results Quality
Provides explanation of warning
Provides severity of warning
Provides confidence information about warning
Provides code context around warning
Provides code coverage information per checker
OWASP Benchmark v1.2
Total Tests
2,740
Precision
0.53
Recall
0.11
Accuracy
0.49
F1 Score
0.18
11
100
 issues found


9 false positives
If there were 100 issues in a code base, would report 11 of them and miss the other 89. In addition, it would generate warnings for 9 issues that don’t really exist.
Reporting
Results suppression even after code changes
Show differences in results set to previous scan
Integration with external remediation bug tracker
None
Graphical user interface (GUI)
Ability to search results
Filter results by compliance standard
None
Centralized reporting
Support
Installation guide or documentation
User/operator guide or documentation
Integration guide or API documentation
Open source project health