Minimal working SpotBugs setup for Android Studio

I made some tests on my side and I manage to make it work like this :

1) Move the sourceSets declaration outside the android block. Leave it empty, it's just for the spotbugsMain task generation, it won't impact the global Android build.

android {
   // ...
}

sourceSets {
    main {
        java.srcDirs = []
    }
}

2) Keep your spotbugs block and configure the SpotBugsTask tasks like this :

tasks.withType(com.github.spotbugs.SpotBugsTask) {
    classes = files("$projectDir.absolutePath/build/intermediates/classes/debug")
    source = fileTree('src/main/java')
}

It will generate reports in app/build/findbugsReports

Important :

It only works with the ./gradlew build command, ./gradlew spotbugsMain won't work as the project must be built before

You can fix that adding an assemble dependency :

tasks.withType(com.github.spotbugs.SpotBugsTask) {
    dependsOn 'assemble'
    classes = files("$projectDir.absolutePath/build/intermediates/classes/debug")
    source = fileTree('src/main/java')
}

Following on from ToYonos answer (9 October 2018); Use this for Android Studio 3.4 and above:

project/build.gradle

buildscript {
    repositories {
        google()
        jcenter()
        maven {
            url 'https:// maven url 1'
        }
        maven {
            url "https://plugins.gradle.org/m2/" // Add this, for SpotBugs
        }
    }
    dependencies {
        classpath '...'

        // If you're using gradle 6.x, add this to use SpotBugs app version 4.0.2
        classpath "gradle.plugin.com.github.spotbugs.snom:spotbugs-gradle-plugin:4.3.0"

        // If you're using gradle 4.x or 5.x, add this to use SpotBugs app version 3.1.2
        classpath "com.github.spotbugs:spotbugs-gradle-plugin:2.0.1" 
    }
}

project/app/build.gradle

apply plugin: 'com.android.application'
apply plugin: '...'
apply plugin: "com.github.spotbugs" // <- Add this
    
dependencies {
    ...
}

// This block is only needed for gradle 4/5 only.
// It's for SpotBugs to create a 'spotbugsMain' gradle task.
sourceSets {
    main {
        java.srcDirs = []
    }
}
    
spotbugs {
    ignoreFailures = true
    reportsDir = file("$project.buildDir/SpotBugsReports")
    effort = "max"
    reportLevel = "high"
}

// Note: gradle 4/5 should use "com.github.spotbugs.SpotBugsTask"
tasks.withType(com.github.spotbugs.snom.SpotBugsTask) {
    dependsOn 'assembleDebug'
    classes = files("$project.buildDir/intermediates/javac") // Important to use this path
    excludeFilter = file("$project/spot-bugs-exclude.xml") // Optional - Explained below
    source = fileTree('src/main/java') // Only needed on gradle 4/5
    reports {
        // Enable HTML report only
        html.enabled = true
        xml.enabled = false
    }
}

You can generate a report for your debug build by running the gradle task:

For gradle 6.x: ./gradlew spotbugsDebug

For gradle 5 or 4: ./gradlew spotbugsMain

It's important to use classes = files("$project.buildDir/intermediates/javac") , otherwise you'll get an error "java.io.IOException: No files to analyze could be opened" -- see Findbugs fails with "java.io.IOException: No files to analyze could be opened"

You'll also need to enable the HTML report and disable XML report, to see a human-readable format.

ignoreFailures = true is optional. When SpotBugs detects a code warning, by default it will end with "BUILD FAILED" + a report file. Setting ignoreFailures = true means the gradle task will end with "BUILD SUCCESSFUL" + a report file.

To exclude some generated classes from the analysis, setup an excludeFilter. For a sample exclude file, check here or here (same as findbugs-exclude.xml)

More information and tutorial here: https://mikedemaso.com/tech/2020-06-10-spotbugs-gradle-plugin-android/