Home Developer Review of Java Static Analysis Tools

Review of Java Static Analysis Tools

Author

Date

Category

Here are some of the Java Static Analysis tools you should know about:

1. PMD Java

PMD scans Java source code and looks for potential problems.

Problems range from breaking naming conventions and unused code or variables to performance and complexity of code, not forgetting lots of possible bugs.

The PMD project also supports JavaScript, PLSQL, Apache Velocity, XML and XSL. It also ships with a CPD, a tool to detect duplicated code in several languages.

pmd java logo

PMD integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant and Emacs.

Here’s a sample of what running PMD through some code looks like:

$ pmd pmd -R java-basic,java-unusedcode -d Deck.java
/Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'.
/Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.

You can suppress warnings (in a variety of ways) and you can also write your own rules in either Java or XPath..

2. Checkstyle

As the name implies, Checkstyle checks that your code adheres to a coding standard.

The tool is configurable, which makes it able to support different code style conventions. Two examples are the Sun Code Conventions and Google Java Style (although the one from Sun hasn’t been maintained since 1999).

checkstyle logo

You can find a configuration file for Google’s Java Style on the checkstyle repository.

Speaking of configuration, this is done in an XML file where you set which modules are to be used. Here’s a (tiny) example of a configuration file:

<module name="Checker">
  <module name="NewlineAtEndOfFile"/>
  <module name="FileLength"/>
</module>

Running this configuration against some code will result into something like this:

$ checkstyle -c checkstyle.xml Deck.java
Starting audit...
/Users/checkstyle/my/project/Blah.java:0: File does not end with a newline.
/Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces.
/Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done.
Checkstyle ends with 3 errors.

3. FindBugs

FindBugs looks for bugs in Java Code, and this means over 400 different bugs.

Patterns are separated into several categories: bad practice, correctness, malicious code vulnerability, multithreaded correctness, performance, security and dodgy code (two additional categories exist, with just a couple of patterns each: experimental and internationalization).

findbugs logo

There are several ways of running FindBugs, but here’s what the command line interface can feel like:

$ findbugs -textui .
M P UuF: Unused field: java.deck.Deck.classVar2  In Deck.java
M P UuF: Unused field: java.deck.Deck.instanceVar3  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.instanceVar2  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.classVar1  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.instanceVar1  In Deck.java
Warnings generated: 5

The first letter in the output refers to the severity of the (potential) bug (low, medium, high) and the second is the category (in this case P for Performance and D for Dodgy Code).

It integrates with Eclipse, Maven, Netbeans, Jenkins, Hudson and IntelliJ.

FindBugs supports a plugin architecture that allows anyone to add new bug detectors; which brings us to…

4. Find Security Bugs

Find Security Bugs is a plugin for FindBugs which adds checks for 80 additional different vulnerability types.

You’ll find a range of patterns that relate to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects.

find security bugs logo

There are also several patterns that are specific for Android.

There’s also other common things such as hashing methods and DOS vulnerabilities, not forgetting simpler things such as hard coded passwords.

Conclusion

As with similar tools in different languages, these Java Static Analysis tools complement each other, and we do recommend that you check them out if you care about Code Quality and avoiding technical debt.

Both PMD and CheckStyle are already integrated with Codacy, which means you can start using them right now.

Using Codacy means you’ll get all of these analyses done for you automatically every time you do a commit, plus a list of issues that are expansible to reveal additional detail on the particular problem and how to solve it.

codacy screenshot

Integrating your repository with Codacy will also give you a good overview of the status of your project:

issues breakdown

Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

What are Static Analysis Tools?

Static analysis tools are carried out on a software product in a non-runtime environment. This means that it is unnecessary to execute a program...

Your Static Code Analysis Guide

Errors - A word that is not so peaceful in the world of developers and software development. So, without any doubt, developers work hard...

Technical Debt In Coding

In this world, everybody has some kind of debt. And if we talk about the technical debt, it sounds like some kind of a...

Why we implemented Offline days at Codacy

Since the Coronavirus outbreak, like most people, we are facing a unique reality that is challenging us in many ways at the...

Pair programming at Codacy and why we do it

Pair programming, also known as pairing or “dynamic duo” model is not a new concept, and it was pioneered by C/C++ guru...