I am using FindBugs to do source code analysis along with Find Security Bugs plugin to specifically detect security vulnerabilities like SQL Injection, XSS, etc. I installed the FindBugs plugin for Eclipse IDE and I am using the source code of known vulnerable web application BodgeIt (https://github.com/psiinon/bodgeit) to evaluate the FindBugs. In the Project -> Properties -> FindBugs preferences, I have selected to show only Security Bug category in Reporter Configuration. When I run the FindBugs scan on entire project, it finds only Bugs for Java files in "src" directory, as can be seen in this screenshot. Somehow it is ignoring the jsp files for scanning and even the context menu option of FindBugs is not appearing to scan the JSP files. Am I missing something here?
