Save time runnning FindBugs by excluding SQL checks

FindBugs is a great tool to help you find tricky problems with your Java code, as well as to learn more about Java best practices. Unfortunately, for a large codebase, FindBugs can be extremely slow, often taking several minutes to run. In the last few years, the Java projects I’ve worked on haven’t made use of SQL databases, and I recently discovered that FindBugs’ checks against SQL injection make up a major portion of the overall runtime for the tool. Try creating a findbugs-exclude.xml file, and putting the following in it:

<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter>
  <!-- We don't use SQL or JDBC, so remove these very expensive bug detectors. -->
  <Match>
    <Bug code="SQL,ODR" />
  </Match>
  <Match>
    <Bug pattern="DMI_CONSTANT_DB_PASSWORD,DMI_EMPTY_DB_PASSWORD" />
  </Match>
</FindBugsFilter>

In my experience, this shaved a whole minute off a multi-minute FindBugs run, with no downside since we don’t use any SQL or JDBC. Of course, if you do use those technologies, these scans are probably still worth the time!

I'm Benjamin Hollis, a software developer in Seattle. Check out my website.