A Student's Guide to Software Engineering Tools & Techniques »


Author: Xiao Pu, Shradheya Thakre


FindBugs is a static analysis tool to find bugs in Java programs. It looks for 'bug patterns' in the code and signals possible violations. Potential errors are classified in four ranks:

  1. scariest
  2. scary
  3. troubling
  4. of concern

This is a hint to the developer about their possible impact or severity. For example, the bug 'null pointer dereference' has the pattern — A program declares a non-nullable variable but assigns null to the variable somewhere and uses it later.


The "bug patterns" can be divided into nine groups:

  1. Bad practice
  2. Correctness
  3. Experimental
  4. Internationalization
  5. Malicious code vulnerability
  6. Multithreaded correctness
  7. Performance
  8. Security
  9. Dodgy code

Refer to FindBugs official documentation for a comprehensive list of bugs and the explanation of each bug.

FindBugs analyses bytecode in compiled Java .class file and checks multiple files at the same time. This is unlike CheckStyle or PMD which can only check files one by one and analyse Java source code, allowing FindBugs to spot errors that would have been missed by CheckStyle and PMD. For example, one of the bug patterns in FindBugs is RCN: Redundant nullcheck of value known to be non-null. FindBugs will analyse all the assignments to a particular variable in the code base and then check whether the nullcheck for the variable is redundant or not.

Examples of Bugs That Can Be Found Using FindBugs

Incorrectly Overriding Methods

Consider the following code:

class Foo {
    //... data members ...
    //... methods ...

    //Overriding equals method - the wrong way
    public boolean equals(Foo foo) {
        //... logic ...

In the above code, if foo.equals() method is called, the equals() method of Object class rather than Foo class will be called. This is due to the way the Java code resolves overloaded methods at compile-time. FindBugs warns the developer of possible cases when a class defines a co-variant version of the equals() or compareTo() method.

Find Hash-Equals Mismatch

The hashCode() and equals() method are called by many Collection based classes like - List, Maps, Sets, etc. FindBugs helps in finding problems when a class overrides the equals() but not the hashCode() method or vice-versa. Overriding only one of the equals() or hashCode() method can cause methods of Collection based classes to fail and hence FindBugs helps in reporting these errors at an early stage

Return Value of Method Ignored

FindBugs helps in finding places where your code has ignored the return value of method when it shouldn't have been.

1 String s = "bob";
2 s.replace('b', 'p');
3 boolean isCorrect = s.equals("pop"); //isCorrect is `false`

In the above examples, one would assume that the variable isCorrect is assigned true because the line 2 replaces b with p. However since strings are immutable, the replace() function actually returns a new string with updated value rather than updating the string the method is called on.

Hence, line 2 should be String newString = s.replace('b', 'p'); //newString ="pop"

Null Pointer Dereference

FindBugs looks for cases where a code path will or could cause a null pointer exception.

1  Person person = aMap.get("bob");
2  if (person != null) {
3      person.updateAccessTime();
4  }
5  String name = person.getName();

In the above example, the aMap may or may not contain "bob", so FindBugs will report possible NullPointerException at line 5

How to Use It?


You can tell FindBugs which bug patterns to exclude and include by using FilterFiles. By default, if no filter files are provided, FindBugs will run all checks.

Suppress Warnings

You can use filter files with exclude option in FindBugs as discussed above to suppress warnings.

In addition, you can also use SuppressWarnings annotation to filter out unwanted violations.


There are several ways to run FindBugs.


Command Line:

Build Automation Tools:

IDE Integration:

SpotBugs - The Successor of Findbugs

On November 2016, FindBugs was declared dead and SpotBugs was declared as its successor in September 2017.

The current projects using FindBugs can make a shift to SpotBugs by following the migration manual

Advanced Topics

  • Data mining of bugs with FindBugs: The data for each analysis will be collected and you can use these statistics for data mining.
  • Configure Analysis Properties: You can define properties to configure options for some checks. For example, you can define the assertion methods in your project so that null pointer dereference bug detector will not raise violations if assertion methods are used.
  • Use annotations: You can use annotations to indicate your intents so that FindBugs can issue warnings more appropriately.
  • Writing custom detectors: You can follow the tutorial step by step to write your customised detector.