In enterprise environments, it's a common best practice to centralize code quality configurations (like spotbugs-exclude.xml) in a single secure repository (e.g., Nexus or Artifactory) and share it across multiple projects via a Parent POM.
Currently, passing an HTTPS URL to the parameter does not work. The underlying DefaultResourceManager attempts to resolve it as a local file or classpath resource, resulting in an immediate failure:
org.codehaus.plexus.resource.loader.ResourceNotFoundException: Could not find resource 'https://nexus.../spotbugs-exclude.xml'.
Furthermore, even if standard URL resolution were supported, enterprise repositories require authentication, and the plugin currently has no mechanism to read credentials from Maven's settings.xml.
I would like to request two interconnected enhancements:
- Remote URL Support: Allow
excludeBugFile/excludeFilterFile/includeFilterFile to natively fetch resources via HTTP/HTTPS.
- Authentication Support: Add a new configuration parameter (e.g.,
excludeFilterServerId) that tells the plugin to retrieve credentials from the section of the Maven settings.xml file to authenticate the HTTP request.
Other Maven plugins handle this exact scenario flawlessly. A prime example is the OWASP dependency-check-maven plugin, which natively supports remote URLs and server authentication:
<configuration>
<suppressionFiles>
<suppressionFile>https://nexus.example.com/config/dependency-check-suppression.xml</suppressionFile>
</suppressionFiles>
<suppressionFileServerId>nexus-server</suppressionFileServerId>
</configuration>It would be a massive improvement for enterprise workflows to have a similar setup for SpotBugs:
<configuration>
<excludeFilterFile>https://nexus.example.com/config/spotbugs-exclude.xml</excludeFilterFile>
<excludeFilterServerId>nexus-server</excludeFilterServerId>
</configuration>Thanks!
In enterprise environments, it's a common best practice to centralize code quality configurations (like spotbugs-exclude.xml) in a single secure repository (e.g., Nexus or Artifactory) and share it across multiple projects via a Parent POM.
Currently, passing an HTTPS URL to the parameter does not work. The underlying DefaultResourceManager attempts to resolve it as a local file or classpath resource, resulting in an immediate failure:
org.codehaus.plexus.resource.loader.ResourceNotFoundException: Could not find resource 'https://nexus.../spotbugs-exclude.xml'.Furthermore, even if standard URL resolution were supported, enterprise repositories require authentication, and the plugin currently has no mechanism to read credentials from Maven's settings.xml.
I would like to request two interconnected enhancements:
excludeBugFile/excludeFilterFile/includeFilterFileto natively fetch resources via HTTP/HTTPS.excludeFilterServerId) that tells the plugin to retrieve credentials from the section of the Maven settings.xml file to authenticate the HTTP request.Other Maven plugins handle this exact scenario flawlessly. A prime example is the OWASP dependency-check-maven plugin, which natively supports remote URLs and server authentication:
It would be a massive improvement for enterprise workflows to have a similar setup for SpotBugs:
Thanks!