I found a false negative when spotbugs-maven-plugin checked the following line in eclipse/jetty.project.
BigInteger serial = BigInteger.valueOf(new SecureRandom().nextLong());
According to the description of DMI: Random object created and used only once (DMI_RANDOM_USED_ONLY_ONCE):
You should strongly consider using a java.security.SecureRandom instead (and avoid allocating a new SecureRandom for each random number needed).
Spotbugs should generate a warning because the line use the line created and used SecureRandom object only once.
The plugin version used is as follow:
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.1.4</version>
<configuration>
<effort>Default</effort>
<threshold>Low</threshold>
</configuration>
<dependencies>
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs</artifactId>
<version>4.1.4</version>
</dependency>
</dependencies>
</plugin>Demo
Here is a small demo that could be used as test case.
import java.security.SecureRandom;
import java.util.Random;
import edu.umd.cs.findbugs.annotations.ExpectWarning;
public class DMI_RANDOM_USED_ONLY_ONCE {
@ExpectWarning("DMI_RANDOM_USED_ONLY_ONCE")
long m1(){
return new SecureRandom().nextLong(); // This test case will fail now
}
@ExpectWarning("DMI_RANDOM_USED_ONLY_ONCE")
long m2(){
return new Random().nextLong(); // This will pass
}
} 
Should issue warning for SecureRandom object created and used only once
I found a false negative when spotbugs-maven-plugin checked the following line in eclipse/jetty.project.
According to the description of DMI: Random object created and used only once (DMI_RANDOM_USED_ONLY_ONCE):
Spotbugs should generate a warning because the line use the line created and used SecureRandom object only once.
The plugin version used is as follow:
Demo
Here is a small demo that could be used as test case.