NPE in FindBugs 3.11

UPDATE: FB 4.0.0 seems to work fine. Even FB 3.11.1 may not be generating NPE, just a message about missing classes.

We upgraded to SQ 7.9.3 and so far it looks good, we have successful scans from Jenkins pipelines. One issue we notice is an NPE (trace below) in Findbugs v3.11.1 plugin (Analyze Java, Scala, Closure and JSP code with SpotBugs. 3.1.12). This seems to match and a few similar issues. We do indeed use Spring (jhipster 6.6.0 stack).

Now I know this is Sonarqube forum and each plugin team can respond better on which version the fix is or will be in, but I’m just curious in general:

  1. Did anyone encountered and solved it
  2. How likely is it that if I upgrade the jar it will still be compatible (SQ seems to think its up to date)
  3. What are my other options if any, workarounds, etc - short of disabling the plugin.

Here is the stacktrace:

Exception analyzing using detector com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector
At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.analyzeMethod(
At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.visitClassContext(
At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(
At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(
At edu.umd.cs.findbugs.FindBugs2.execute(
At org.sonar.plugins.findbugs.FindbugsExecutor$
At java.base/
At java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(
At java.base/java.util.concurrent.ThreadPoolExecutor$
At java.base/
The following classes needed for analysis were missing:

Thank you!

I noticed that FindBugs 4x seems compatible with Sonarqube 7.9.3. Will try it out as well. Interesting that the “Marketplace” section of our SQ 7.9.3 installation only sees the installed Findbugs 3.11.1, even though I selected “All” tab. I was hoping it will allow me to quickly install the 4x version and confirm the compatibility.

Tried FB 4.0.0, seems to be working fine for us.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.