This documentation applies to Codacy Self-hosted

For the latest updates and improvements, see the latest Cloud documentation instead.

Run SpotBugs

Codacy Self-hosted running on Docker stopped being supported on February 16, 2021. Click here for updated documentation on how to install and configure Codacy Self-hosted on Kubernetes or MicroK8s. If you are a current customer and have any questions regarding the migration process, please reach out to your CSM or success@codacy.com for more information.

SpotBugs is available for Codacy Self-hosted, with the following plugins: Find Security Bugs and FBContrib.

To run this tool, you simply need to compile your Java or Scala repository on your build server, as you would normally do, and then invoke the codacy-analysis-cli on the root of the repository specifying the tool SpotBugs.

codacy-analysis-cli analyse --tool spotbugs \
                            --directory <SOURCE-CODE-PATH> \
                            --project-token <PROJECT-TOKEN> \
                            --allow-network \
                            --codacy-api-base-url <API-BASE-URL> \
                            --upload \
                            --verbose

The Codacy CLI will then run SpotBugs on the compiled classes of your repository, parse the results and if you set up the push results options, these results can be sent to Codacy and used in the analysis for the Self-hosted version.

Detecting Sources and Compiled Classes

Codacy tries to find the classes and map results to the files automatically. If you use Maven, Gradle and SBT then the default layouts are detected automatically as well.

You have the option to configure these paths manually if there is an issue with detection. To do so, add Codacy configuration file  to the repository root - .codacy.yml:

---
engines:
  spotbugs:
    enabled: true
    modules:
      - classesDirectories: [ "core/target/classes" ]
        sourceDirectories:  [ "core/src/main" ]
      - classesDirectories: [ "api/target/classes" ]
        sourceDirectories:  [ "api/src/main" ]

Increasing the timeout to run SpotBugs

When running SpotBugs on the compiled classes of larger projects, the default execution timeout of 15 minutes may not be enough for SpotBugs to complete the analysis.

To increase the timeout that each tool has to execute, use the option --tool-timeout when invoking the codacy-analysis-cli command.

For example, to set the timeout to 1 hour, run:

codacy-analysis-cli analyse --tool spotbugs \
                            --tool-timeout 1hour \
                            --directory <SOURCE-CODE-PATH> \
                            --project-token <PROJECT-TOKEN> \
                            --allow-network \
                            --codacy-api-base-url <API-BASE-URL> \
                            --upload \
                            --verbose

Please reach out if you need help with anything.

Share your feedback 📢

Did this page help you?

Yes No

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

Send 255 characters left

We're sorry to hear that. Please let us know what we can improve:

Send 255 characters left

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

If you have a question or need help please contact support@codacy.com.

Last modified February 25, 2021