Home Developer Which Java static code analysis tools should I use?

Which Java static code analysis tools should I use?

Author

Date

Category

When developing in Java, just like in every other language, you’re bound to make some mistakes. As we’ve explained in our article about static code analysis, using tools to cover some of your errors can help. Because there’s a lot to choose from, we’ve rounded up the best Java static code analysis tools you should know about.

1. PMD Java

pmd java

Our first tool of choice, PMD, scans Java source code and looks for potential problems. These can range from breaking naming conventions and unused code or variables to performance and complexity of code — while not forgetting lots of possible bugs that could be spread around your code.

Additionally, the PMD project also supports JavaScript, PLSQL, Apache Velocity, XML, XSL. It also ships with a CPD, a tool to detect duplicated code in several code languages.

The tool seamlessly integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant, and Emacs. Here’s a sample of what running PMD through some code looks like:

pmd pmd -R java-basic,java-unusedcode -d Deck.java
/Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'.
/Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.

With PMD, it’s possible to suppress warnings in a variety of ways and you can also write your own rules in either Java or XPath.

2. Checkstyle

As the name implies, Checkstyle is all about checking that your code adheres to a specific coding standard. The tool is fully configurable to your preferences, enabling it  to support different code style conventions — for example, you could use the Sun Code Conventions or Google Java Style depending on your preferences.

You can find a configuration file for Google’s Java Style on the checkstyle repository.

Speaking of configuration, all of this is done in an XML file where you can set which modules are to be used. Here’s a tiny example of what such a file looks like:

<module name="Checker">
  <module name="NewlineAtEndOfFile"/>
  <module name="FileLength"/>
</module>

Running this configuration against some code will result into something like this:

checkstyle -c checkstyle.xml Deck.java
Starting audit...
/Users/checkstyle/my/project/Blah.java:0: File does not end with a newline.
/Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces.
/Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done.

Checkstyle ends with 3 errors.

3. SpotBugs

SpotBugs specifically looks for bugs in Java Code, and it doesn’t just cover a couple of them — it works for over 400 different bug patterns.

It separates patterns into several categories: bad practice, correctness, malicious code vulnerabilities, multithreaded correctness, performance, security, and dodgy code. Two additional categories only cover a couple of patterns each — experimental and internationalization.

There are several ways of running SpotBugs, but here’s what the command line interface can look like:

./spotbugs /path/to/project
H B Eq: org.eclipse.jetty.util.security.Password.equals(Object) checks for operand being a String  At Password.java:[line 129]
H B Eq: org.eclipse.jetty.util.ArrayTernaryTrie$Growing.equals(Object) checks for operand being a ArrayTernaryTrie  At ArrayTernaryTrie.java:[line 630]
M D Eq: org.hibernate.validator.internal.util.annotationfactory.AnnotationProxy.equals(Object) is unusual  At AnnotationProxy.java:[lines 88-111]
M D Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) is unusual  At Types.java:[lines 439-459]
H B Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) checks for operand being a reflect.TypeVariable  At Types.java:[line 454]
M C Eq: ch.qos.logback.core.joran.spi.ElementSelector overrides equals in ElementPath and may not be symmetric  At ElementSelector.java:[lines 146-165]
M C Eq: javassist.bytecode.analysis.MultiArrayType overrides equals in Type and may not be symmetric  At MultiArrayType.java:[lines 134-138]
M C Eq: javassist.bytecode.analysis.MultiType overrides equals in Type and may not be symmetric  At MultiType.java:[lines 298-307]
M D NP: Method jersey.repackaged.com.google.common.collect.Multiset.equals(Object) overrides the nullness annotation of parameter $L1 in an incompatible way  In Multiset.java
H D NP: entry must be non-null but is marked as nullable  At Maps.java:[line 1978]
H D NP: entry must be non-null but is marked as nullable  At Maps.java:[line 2008]

The first letter in the output refers to the severity of the (potential) bug — L for low, M for Medium and H for High — and the second refers to the category. In this case, P stands for Performance and D stands for Dodgy Code.

The tool perfectly integrates with Eclipse, Maven, Ant, Netbeans, Jenkins, Android Studio, and IntelliJ. Also, SpotBugs supports a plugin architecture allowing anyone to add new bug detectors, which brings us to the next tool.

4. Find Security Bugs

Find Security Bugs is a plugin for SpotBugs adding checks for 80 additional different vulnerability types. You’ll find a wide range of patterns relating to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects. It also supports several patterns specific to Android.

There’s also support for other common issues like hashing methods and DOS vulnerabilities, while not forgetting about simpler things like hard coded passwords.

Conclusion

As with similar tools in other programming languages, all of these Java Static Analysis tools complement each other, and we recommend you check all of them out if you care about code quality and avoiding technical debt.

Both PMD and CheckStyle are already integrated with Codacy, meaning you can start using them right away. Using Codacy means you’ll get the results all of these analyses done for you automatically every time you do a commit, plus an expandable list of issues giving additional details on the particular problem and how to solve it.

Integrating your repository with Codacy will also give you a good overview on the status of your project, and help you save up to 50 percent of time spent on code reviews. This way, you and your team can focus on what matters most and ship features faster. Try it for free with our Startup plan for up to four seats or by signing up for our free trial today.


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

OWASP Top 10 vulnerabilities and how Codacy helps to address them

In today’s modern, digitized world, security is more important than ever to respond to growing threats. Every web application comes with system vulnerabilities, and...

2020, It’s a wrap! 🎊

Looking back at 2020, it has been a year of change and innovation for Codacy. We became fully remote and will continue to be,...

Migrating to React: Typed named routes in react-router and Typescript

INTRODUCTION If you’re a regular user of Codacy, you might have noticed a few changes over the course of this year on some pages. We’re...

Introducing Pulse to help companies achieve elite engineering performance

At Codacy, we envision a future where everyone can impact the world by crafting complex software with confidence and focus at the speed of...

First QA Engineer in a Startup

This is the story of how I joined a startup as the first QA Engineer in the company.  My name is Bruno Medley, I'm a...