Skip to content

Feature Request: Support resolving excludeBugFile/excludeFilterFile/includeFilterFile from remote URLs with authentication #1375

@NicolaIsotta

Description

@NicolaIsotta

In enterprise environments, it's a common best practice to centralize code quality configurations (like spotbugs-exclude.xml) in a single secure repository (e.g., Nexus or Artifactory) and share it across multiple projects via a Parent POM.

Currently, passing an HTTPS URL to the parameter does not work. The underlying DefaultResourceManager attempts to resolve it as a local file or classpath resource, resulting in an immediate failure:
org.codehaus.plexus.resource.loader.ResourceNotFoundException: Could not find resource 'https://nexus.../spotbugs-exclude.xml'.

Furthermore, even if standard URL resolution were supported, enterprise repositories require authentication, and the plugin currently has no mechanism to read credentials from Maven's settings.xml.

I would like to request two interconnected enhancements:

  • Remote URL Support: Allow excludeBugFile/excludeFilterFile/includeFilterFile to natively fetch resources via HTTP/HTTPS.
  • Authentication Support: Add a new configuration parameter (e.g., excludeFilterServerId) that tells the plugin to retrieve credentials from the section of the Maven settings.xml file to authenticate the HTTP request.

Other Maven plugins handle this exact scenario flawlessly. A prime example is the OWASP dependency-check-maven plugin, which natively supports remote URLs and server authentication:

<configuration>
    <suppressionFiles>
        <suppressionFile>https://nexus.example.com/config/dependency-check-suppression.xml</suppressionFile>
    </suppressionFiles>
    <suppressionFileServerId>nexus-server</suppressionFileServerId> 
</configuration>

It would be a massive improvement for enterprise workflows to have a similar setup for SpotBugs:

<configuration>
    <excludeFilterFile>https://nexus.example.com/config/spotbugs-exclude.xml</excludeFilterFile>
    <excludeFilterServerId>nexus-server</excludeFilterServerId> 
</configuration>

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions