Problem:
SpotBugs has large number of detection as a result of which it comes with a good number of false positives too. These false positives (e.g., RCN_REDUNDANT_NULLCHECK) are currently suppressed in config/spotbugs-exclude.xml to unblock CI/CD pipelines. These violations appear in mvn test-compile spotbugs:check but are hidden in mvn verify due to differences in bytecode generation during later build phases (e.g., optimizations, annotation processing). While suppressed, these exclusions mask real code issues that need resolution.
The discrepancy in SpotBugs violations between mvn verify and direct invocation (mvn test-compile spotbugs:check) stems from:
- Incomplete Code Generation: Plugins generating code/resources (e.g., annotation processors, custom tasks) may not execute fully during test-compile, leading to raw bytecode with unresolved issues.
- Outdated Build Tooling and Deprecated Plugins: The sunsetted Sonatype parent POM and end-of-life Nexus/Artifactory plugins cause technical debt, overrides, and potential misconfigurations.
- Ant/Exec Plugins: These may bypass Maven’s lifecycle, skipping critical steps (e.g., codegen) and destabilizing builds.
- SpotBugs Evolution: Newer SpotBugs versions detect more patterns, exposing previously hidden issues (some legitimate, others false positives).
In scope of this issue, it is required to resolve all suppressions thy were added at : #16665
Reason on why we didn't notice/resolve it before is SpotBug execution after jacoco plugin: spotbugs/spotbugs-maven-plugin#806
Problem:
SpotBugs has large number of detection as a result of which it comes with a good number of false positives too. These false positives (e.g., RCN_REDUNDANT_NULLCHECK) are currently suppressed in config/spotbugs-exclude.xml to unblock CI/CD pipelines. These violations appear in mvn test-compile spotbugs:check but are hidden in mvn verify due to differences in bytecode generation during later build phases (e.g., optimizations, annotation processing). While suppressed, these exclusions mask real code issues that need resolution.
The discrepancy in SpotBugs violations between mvn verify and direct invocation (mvn test-compile spotbugs:check) stems from:
In scope of this issue, it is required to resolve all suppressions thy were added at : #16665
Reason on why we didn't notice/resolve it before is SpotBug execution after jacoco plugin: spotbugs/spotbugs-maven-plugin#806