I’ve been juggling far too many projects, but I’m now working to move FindBugs back into the active rotation.
I also want announce I'll be working with GrammaTech as part of the Swamp Project, and they will be helping with rebooting the FindBugs project. This has been in the works for a long time (almost a year), and although I’ve known that GrammaTech was likely to win an award, this hasn’t been official and something I could talk about until recently. Was hoping to have something a little more concrete to talk about as far as that goes; but I don’t yet have the information I wanted to share.
Thanks to all the FindBugs fans and supporters who lobbied for me to return to active maintenance of FindBugs. Give me a week to get up to speed on current project needs.
Bill Pugh
I don't mean to denigrate you, but I must be candid here: hoarding admin rights so that only you have them and no one else can get any work done is simply not acceptable in a team environment.
Going forward, I would recommend taking a look through other projects you may be involved with, and make sure that you are not the only person with admin access. If nothing else, it would increase the "bus factor" to greater than 1: https://en.wikipedia.org/wiki/Bus_factor
Good luck.
https://github.com/google/error-prone
http://errorprone.info/bugpatterns
Pros:
* has faster cycle times and integrates into compilation workflow
* emits fewer false positives
* active maintainers fix issues
* releases several times per year
* FindBugs has a greater breadth of checks
* current error-prone releases only work with Java 8This turns out to be really quite relevant if you're building domain-specific static analysis checks, as opposed to just running standard analyses.
Can you provide more information on how this is achieved? As far as I know there is no official, supported, portable API for Java compilers. The only thing I'm aware of is APT and anything beyond that would require significant rearchitecture of the existing compilers.
I'm assuming that means it will only run on the JVM8, but it can analyze any version of Java code?
[1] https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-N...
A previous response in the thread [1] also contains "hard fork", which is probably why I and possibly others have repeated it here.
It could be a trend, but my differentiation (here at least) is that a "hard" fork means that the maintainers themselves are splitting from the original project while also forking the original code base.
It would probably make more sense to just call it a "fork" :).
[1]: https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-N...
While Coverity does incorporate Findbugs results, it also has its own analyzer that does much more interprocedural analysis and tends to be tuned better for fewer false positives and more accurate error messages. Historically at least, part of the reason for incorporating Findbugs was to make it easier to directly compare what Findbugs found with what Coverity's analyzer found. Because every customer wanted to know that.
I have no idea of current figures but historically Java was not a big business for Coverity. Other vendors had much more Java business (and incidentally also incorporated Findbugs results).
Finally, as you can see from the message the Findbugs leadership does not seem unified and easy to collaborate with.
So forgive me but I find your comment and its tone a bit unfair.
It might seem unfair, but you stated that "every customer wanted to know that". So that project has value to you.
In all the companies I have worked through my career thus far, not a single one has contributed back in any form to the pile of FOSS libraries that they were using.
My team at EvilCorp contributes fixes to several open-source libraries. The reason this happens, though, is that two of our stronger devs said "the correct thing to do is to take the time to get these fixes into mainline," which they did. The answer to the question of "why" we do it isn't "because it increases our team velocity," but because we're software engineers, and that's what good software engineers do whenever possible.
5 of them are over a year old. Most of them had no review by the development team, and many of those that did, got stuck on Bill, for instance, trying to get Travis enabled: https://github.com/findbugsproject/findbugs/pull/48#issuecom...
There is no incentive to contribute to a project in such poor shape.
SonarQube abandoned FindBugs mainly because it was low on activity:
"FindBugs project activity: The activity on the project is quite low and thus the value coming out of it does not come fast enough to satisfy our users."
http://www.sonarqube.org/sonarqube-java-analyzer-the-only-ru...
Most successful projects in FOSS with many downloads get virtually no contributions or financial support back. Even the largest ones have an enormous user to contributor ratio with almost all benefits going to the users. Therefore, it's the status quo for open-source in general. Those getting tons of contributions and development without a company behind them are extremely rare.
I had a great article on this before my crashed HD deleted newer bookmarks. It was a woman that surveyed many popular projects to ask about their status. Most complained they were barely getting by, the developer(s) stretched thin, tons of requests without accompanying payment/support, and mostly no contributors. I'd like a link to that article if any readers know which one I'm talking about.
I hope they can get a new project off the ground and can start rebuilding. We're approaching a time where JVM static analysis tools are going to have to start making some big changes to support upcoming features, and it will be a pity if some version of FB or a successor isn't there.
Once setup though, the quality of analysis is absolutely outstanding.
Why not just create a twitter account and do it yourself? WTF?
edit: presumably one of the downvoters is working right this minute to contact Bill Pugh via Twitter and put him in touch with the author, because that totally makes sense
https://twitter.com/search?f=tweets&vertical=default&q=%22%4...
One of the reasons is that the code is hard to maintain with most open source contributions being small improvements. How have other open source projects handled large scale refactors? Is it as simple as someone creating something new from scratch and then duplicating functionality? Are there examples of large open source projects that have had ground up rewrites?
Just for ad-hoc analysis in Java IntelliJ's code inspector IMO works quite well. It's also available in the community edition, so all of that code is open source: https://www.jetbrains.com/help/idea/2016.2/code-inspection.h...
well, netscape navigator turned into firefox. it cost them dearly (in terms of market share), but there wasn't much of an alternative (joel spolsky might not agree on that).
http://stackoverflow.com/questions/4297014/what-are-the-diff...
So one of the two active contributors left to start his own rewrite of the project, and this post is the other active contributor saying he definitely doesn't have enough time to keep doing this on his own.
If there's no association with the old project's name or references from it to the new project, then whatever came from it would probably not use the name "FindBugs", and either way, the original project ends up dead.
Many of our checks are essentially working around problems with the language or API design. For example, our ForOverride checker (http://errorprone.info/bugpattern/ForOverride) addresses the fact that existing Java visibility modifiers are not expressive enough for some things the Guava team wanted to do. Our HashtableContains checker (http://errorprone.info/bugpattern/HashtableContains) addresses an issue with a poorly-named method in the old Hashtable API, which really should be deprecated but is infeasible given the old code that uses it.