SpotBugs is the spiritual successor to FindBugs, the legendary Java static analysis tool that found real bugs in real codebases for over a decade. On its own, SpotBugs focuses on general code quality. Pair it with the Find Security Bugs plugin, and you get one of the most effective free security analysis tools available for Java.
Find Security Bugs: The Security Plugin
Find Security Bugs adds over 140 security-focused bug detectors to SpotBugs. These cover the OWASP Top 10, CWE Top 25, and Java-specific security anti-patterns. The detectors operate on Java bytecode, meaning they can analyze compiled code regardless of which JVM language produced it -- Java, Kotlin, Scala, and Groovy are all supported.
The critical detectors include:
SQL Injection (multiple variants). Find Security Bugs detects SQL injection through JDBC, JPA, Hibernate, MyBatis, and Spring Data. It tracks tainted data from HTTP parameters through to query construction, catching cases where user input flows into SQL strings even across method boundaries.
Cross-Site Scripting. Detects XSS in JSP pages, Servlet responses, Spring MVC views, and other output contexts. It distinguishes between reflected and stored XSS patterns.
Path Traversal. Flags file operations where the path includes unsanitized user input. Catches patterns like new File(request.getParameter("filename")) and more complex flows.
Deserialization. Detects use of Java native serialization (ObjectInputStream.readObject()) with untrusted data. Java deserialization vulnerabilities have been responsible for some of the most severe remote code execution bugs in the ecosystem.
Cryptographic Issues. Flags weak algorithms (DES, RC2, RC4), insufficient key sizes, ECB mode, static initialization vectors, and insecure random number generation. Also detects hardcoded cryptographic keys.
XXE (XML External Entity). Detects XML parsers configured without disabling external entity processing. This is a persistent problem in Java because the default configuration of most XML parsers is insecure.
Configuration for Real Projects
The default Find Security Bugs configuration reports everything at every confidence level. For a real project, you need to tune it.
Maven Configuration
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.8.3.1</version>
<configuration>
<effort>Max</effort>
<threshold>Medium</threshold>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.13.0</version>
</plugin>
</plugins>
</configuration>
</plugin>
Set effort to Max for the most thorough analysis. Set threshold to Medium to filter out low-confidence findings.
Gradle Configuration
plugins {
id 'com.github.spotbugs' version '6.0.7'
}
dependencies {
spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.13.0'
}
spotbugs {
effort = com.github.spotbugs.snom.Effort.MAX
reportLevel = com.github.spotbugs.snom.Confidence.MEDIUM
}
Triage Strategy
A first run on a mature Java project will produce hundreds of findings. Triaging them effectively requires a priority-based approach.
Priority 1: Injection vulnerabilities. SQL injection, command injection, LDAP injection, XPath injection. These are typically exploitable and high-severity. Investigate every finding.
Priority 2: Deserialization. If your application deserializes untrusted data using Java native serialization, this is a critical risk. Verify the data source carefully.
Priority 3: XXE. XML External Entity processing is dangerous and the fix is straightforward (disable external entities in the parser configuration). These should be quick wins.
Priority 4: Cryptographic issues. Weak algorithms and hardcoded keys. The severity depends on what is being protected. Review and remediate based on context.
Priority 5: Path traversal and file operations. Verify whether the file paths actually include user-controlled input. Many findings are false positives where the paths come from configuration or internal logic.
Common False Positive Patterns
Parameterized query false positives. Find Security Bugs sometimes flags SQL operations that use parameterized queries if the query string itself is constructed dynamically (even though the parameters are bound safely). Verify that parameters are actually bound before suppressing.
Internal API calls flagged as injection. When one internal service calls another, the input may be technically untrusted from the analysis perspective but is actually validated upstream. These require context to triage.
Test code. Test methods that intentionally exercise dangerous patterns (like testing that XXE protection works) will be flagged. Exclude test classes from the scan.
CI/CD Integration
Run SpotBugs with Find Security Bugs as part of your build pipeline. For the build gate, focus on high-confidence findings in the injection and deserialization categories. Use a quality gate that fails the build only on findings above a certain severity and confidence threshold.
Export results in SARIF format for integration with GitHub Code Scanning or GitLab SAST dashboards. This provides a centralized view of security findings across repositories.
How Safeguard.sh Helps
Safeguard.sh complements SpotBugs by covering the dependency layer of your Java security posture. While SpotBugs finds insecure patterns in your own code, Safeguard.sh monitors Maven and Gradle dependencies for known vulnerabilities, detects dependency confusion risks, and generates SBOMs that map your complete Java supply chain. Together, they cover both your code and the libraries it depends on.