FindBugs Static Analyzer and AWARE in Eclipse


Laurie Williams, and Sarah Heckman. [Contact Authors]
CSC 326 - Software Engineering
Department of Computer Science
North Carolina State University

Back to Software Engineering Tutorials


0.0 Outline
1.0 Background of FindBugs and AWARE
2.0 Installing FindBugs+AWARE Plug-in
3.0 Running FindBugs
4.0 FindBugs Options
5.0 Using AWARE
6.0 Bug Descriptions
7.0 Resources

1.0 Background of FindBugs and AWARE

The authors of FindBugs have made some observations on why some relatively obvious and embarassing bugs occur when writing Java programs:

  • Everyone makes dumb mistakes
  • Java offers many opportunities for latent bugs
  • Programming with threads is harder than people think

They share more details on these reasons in their paper called "Finding Bugs is Easy," which also gives their methods for implementing FindBugs. FindBugs is a static analysis tool that is both a stand-alone Java application and an Eclipse plug-in. Using the Visitor Pattern (Wikipedia), FindBugs looks for different "bug patterns" in the bytecode of your Java project. Each pattern visits each source file looking for matches.

There are four strategies that FindBugs uses to find vulnerabilities in Java bytecode:

  • Class Structure and Inheritance Hierarchy: this strategy looks at the hierarchy of classes in the project without looking at the code in the classes.
  • Linear Code Scan: a linear scan of the bytecode is made, and a state machine is made of visited instructions.
  • Control Sensitive: a control flow graph is made of the program, and the patterns are compared to the control flow graph. A control flow graph is a graph of all possible paths through the program.
  • Dataflow: these patterns use the control flow and dataflow graphs generated from analyzing the program. A dataflow graph looks at when data is created, used, and destroyed.

FindBugs is able to find six different categories of vulnerabilities:

  • correctness
  • internationalization
  • malicious code vulnerabilities
  • multithreaded correctness
  • performance
  • style

All static analysis tools have a draw back of a high number of false positives (warnings about correct code), however, FindBugs has a lower false positive rate than other static analysis tools.

AWARE is a wrapper for the FindBugs application and was developed at North Carolina State University. AWARE collects alerts from FindBugs and displays them to the user with some additional information, including a ranking and a severity. AWARE also collects usage data on Eclipse.

Top | Contents

2.0 Installing FindBugs+AWARE Plug-in

Use the AWARE update site to install.

Start Eclipse. Choose Help > Software Updates > Find and Install > Search for new features to install > New Remote site.

Name: AWARE; URL: http://www.realsearchgroup.org/aware/AWARE/Java/AWARE-UPDATE/

Alternatively, you can use the FindBugs update site, which does not contain any of the AWARE functionality described in this tutorial.

NAME: FindBugs; URL: http://findbugs.cs.umd.edu/eclipse/

Click OK, verify that only FindBugs is checked, click Finish.

For more information on installing plug-ins in Eclipse, see this Tutorial on the subject.

Top | Contents
3.0 Running FindBugs+AWARE

There are two ways to run FindBugs. The first involves selecting the option to run FindBugs every time you want to statically analyze your code. The other way is to have FindBugs run in the background after every Java resource change.

To run FindBugs:

3.1 Right click on the project. Select FindBugs > FindBugs (see Fig. 3a below). FindBugs will run in the foreground, blocking all other development. If you have a large project, it may take a few minutes for FindBugs to complete.

Note: FindBugs runs its full analysis once, and then only analyzes files that change in your project -- so it will be much faster after the initial analysis. However, FindBugs will have to re-run its full analysis every time you log in on a lab machine because the Eclipse workspace is cleaned. This will not happen on a personal machine.


Figure 3a

To run FindBugs continuously in the background:

3.2 Right click on the project. Select Properties > FindBugs. Check the Run FindBugs automatically box (see Fig. 3b below). This will cause FindBugs to run every time a resource in a project is modified.


Figure 3b
Top | Contents

4.0 FindBugs Options

FindBugs gives you the option of selecting which of the bug patterns that you want the plug-in to look for in your code.

4.1 Right click on the project. Select Properties > FindBugs (see Fig. 3b above).

4.2 You may choose the minimum priority of a bug to report. The default is medium. This reduces the number of false positives of reported bugs.

4.3 The category of vulnerability to search for may also be selected. For example, if you are more concerned with Performance problems and you have a large project, you may want to only look for performance vulnerabilities. Each bug patterns maps to exactly one category.

4.4 Lastly, you can select specific patterns that you want the plug-in to look for. Several of the patterns take a longer time than other patterns, so you may want to take this under consideration when selecting which patterns to look for. More information about the patterns, including speed in on the Bug Descriptions page.

Top | Contents
5.0 Using AWARE

AWARE collects compiler errors and FindBugs static analysis alerts and allows the user to filter out alerts and keeps track of which alerts have been fixed.

5.1 In the Eclipse menu bar, select Window > Show View > Other. Expand the folder named 'AWARE' and select all of the nodes beneath it and press OK.


Figure 5a

5.2 You should now see the open AWARE views in the view tray. The "AWARE Alerts" view will show all open FindBugs and compiler alerts.


Figure 5b

AWARE allows you to filter alerts that you may not consider important or don't want to be bothered with any more. If you see an alert that you want to remove from the alert view, you can right click the alert and choose Suppress Alert, which sends the alert from the Alerts view to the Supressed Alerts view. You can also unfilter an alert by right-clicking the alert in the Suppressed Alerts view and selecting Unsupress Alert.




Figure 5c (In these images, "Filter" replaces the word "Supress")

If you want to see the line of code that is marked with an alert, you can double click that alert in the Alerts view and AWARE will bring up the line of code the alert references.

When you fix an alert, the alert will disappear from the Alerts view and will be added to the Closed Alerts view.

AWARE also collects information about how you use Eclipse, such as what you are clicking on in Eclipse, which views and perspectives you are using, when you run a command, etc. AWARE does NOT collect any personal information or source code: only your activity. For an example of the information AWARE collects, please click here. If you would like to disable the usage monitoring, simply toggle the Usage Logging button in the Eclipse toolbar to off.


Figure 5.4 AWARE usage logging
Top | Contents

6.0 Bug Descriptions

Go to the FindBugs website to see a listing of the bug descriptions.

Top | Contents

7.0 Resource
Top | Contents

Back to Software Engineering Tutorials
Getting Started with Eclipse Tutorial ©2009 North Carolina State University, Laurie Williams, Sarah Heckman and Ben Smith.
Email the authors with any questions or comments about this tutorial.
Last Updated: Thursday, October 19, 2006 6:03 AM