Saturday, June 25, 2016

Static Code Analysis for Java using FindBugs Plugin and Identifying Security Bugs with FindSecurityBugs Plugin

When writing code, it is important to make sure that your code is bug free and secure. When the size of the code base increases, it is difficult to manually go through each and every line of code to verify that the code is safe and written following the best practices. In such cases, we can get help from tools that would do this for you. FindBugs [1] is one such tool for static code analysis to look for bugs in Java code and it is also free. FindBugs is available as plugins for the IDEs you use (i.e Eclipse, IntelliJ IDEA etc.), so that while writing code, you can run an analysis and spot the bugs and fix immediately.

In this post I will be showing how to install FindBugs plugin in IntelliJ IDEA and perform a code analysis. I will also show how to use the FindSecurityBugs [2] plugin that comes within FindBugs for identifying the security weaknesses and bugs in your code.

Once you open IntelliJ IDEA, you can go to Configure -> Plugins in the opening window. 

If you have already opened a project in IntelliJ IDEA, you can go to File -> Settings and in the left panel of the Settings window, select Plugins.

You can install the FindBugs plugin in two ways. If you have an internet connection, you can click on Browser repositories button and get the plugin installed. If not you can download the FindBugs plugin for IntelliJ IDEA [3] and go with Install plugin from disk option where you can browse and provide the already downloaded plugin.

When you go with Browse repositories option, you can search for the findbugs plugin and select FindBugs-IDEA and get it installed. 

Once you have installed the FindBugs plugin in IntelliJ IDEA, in the bottom of the IDE you will see the FindBugs-IDEA button. Upon clicking on it you can see all the settings of it in a panel.  

Now we have to enable the FindSecurityBugs plugin which comes with FindBugs. This is for finding the security bugs in your code. Click on Plugin Preferences button.

Under the Plugins section of the General tab, click on the + button and select Add Find Security Bugs.

Once the FindSecurityBugs plugin is added, click on Apply and then OK.

Now we have successfully installed FindBugs plugin in IntelliJ IDEA and also have enabled the FindSecurityBugs plugin in it. Let’s perform a static code analysis and get to know all the bugs we have in the code.

For this demonstration, I am using the OWASP Web Goat [4] project which is a Java web application developed for security testing purposes which is plagued with lots and lots of security bugs.

I have opened the Web Goat project in IDEA and for running FindBugs on the project, I right click on the project and go to FindBugs -> Analyze Scope Files. With this, the scanning will happen only under the selected folder. You can also go with Analyze Module Files which would scan the particular module you have selected and also Analyze Project Files which would scan the entire project. 

Once the static scan is completed, you can see the identified bugs in FindBugs-IDEA panel. Since we have enabled the FindSecurityBugs plugin, it will list all the identified security issues under the Security category. 

The security issues will be categorized from the type of vulnerability. You can expand each category and double click on a particular issue to find more information about it.

It would show the piece of code that is having the vulnerability and also it would suggest the solution. In the right hand side panel, you can click on the link describes the vulnerability and it would open the detailed web page in the browser. In that, you can find references to the associated CVE (Common Vulnerability Exposures) [5] or CWE (Common Weakness Enumeration) [6] as well.

You can export the reported bugs for further analysis. For that, click on the Export Bug Collection to XML/HTML button.

You have to provide a file path to store the exported files. You can export the reports in HTML and/or XML format.

A generated report would look like below.

In you go to the Security Warnings section, you can see a detailed explanation for each identified security issue. 

When writing code, it is important to use these kind of tools to identify potentials risks in your code and produce high quality code that is safe to use.


Tharindu Edirisinghe
Platform Security Team


  1. This is great Code Analysis review.
    I was trying to get in touch with you to see if you share you expert opinion on our new Static Analysis tool CodeIt.Right
    Please let me know if you are interested and I will provide you with details.
    run code analysis

    1. Hi Aeldra,
      I'm interested, please share the details with me. You can reach me via Twitter

      Best Regards !