When developing in Java, just like in every other language, you’re bound to make some mistakes. As we’ve explained in our article about static code analysis, using tools to cover some of your errors can help. Because there’s a lot to choose from, we’ve rounded up the best Java static code analysis tools you should know about.
1. PMD Java
Our first tool of choice, PMD, scans Java source code and looks for potential problems. These can range from breaking naming conventions and unused code or variables to performance and complexity of code — while not forgetting lots of possible bugs that could be spread around your code.
The tool seamlessly integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant, and Emacs. Here’s a sample of what running PMD through some code looks like:
pmd pmd -R java-basic,java-unusedcode -d Deck.java /Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'. /Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.
As the name implies, Checkstyle is all about checking that your code adheres to a specific coding standard. The tool is fully configurable to your preferences, enabling it to support different code style conventions — for example, you could use the Sun Code Conventions or Google Java Style depending on your preferences.
Speaking of configuration, all of this is done in an XML file where you can set which modules are to be used. Here’s a tiny example of what such a file looks like:
<module name="Checker"> <module name="NewlineAtEndOfFile"/> <module name="FileLength"/> </module>
Running this configuration against some code will result into something like this:
checkstyle -c checkstyle.xml Deck.java Starting audit... /Users/checkstyle/my/project/Blah.java:0: File does not end with a newline. /Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces. /Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done. Checkstyle ends with 3 errors.
It separates patterns into several categories: bad practice, correctness, malicious code vulnerabilities, multithreaded correctness, performance, security, and dodgy code. Two additional categories only cover a couple of patterns each — experimental and internationalization.
There are several ways of running SpotBugs, but here’s what the command line interface can look like:
./spotbugs /path/to/project H B Eq: org.eclipse.jetty.util.security.Password.equals(Object) checks for operand being a String At Password.java:[line 129] H B Eq: org.eclipse.jetty.util.ArrayTernaryTrie$Growing.equals(Object) checks for operand being a ArrayTernaryTrie At ArrayTernaryTrie.java:[line 630] M D Eq: org.hibernate.validator.internal.util.annotationfactory.AnnotationProxy.equals(Object) is unusual At AnnotationProxy.java:[lines 88-111] M D Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) is unusual At Types.java:[lines 439-459] H B Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) checks for operand being a reflect.TypeVariable At Types.java:[line 454] M C Eq: ch.qos.logback.core.joran.spi.ElementSelector overrides equals in ElementPath and may not be symmetric At ElementSelector.java:[lines 146-165] M C Eq: javassist.bytecode.analysis.MultiArrayType overrides equals in Type and may not be symmetric At MultiArrayType.java:[lines 134-138] M C Eq: javassist.bytecode.analysis.MultiType overrides equals in Type and may not be symmetric At MultiType.java:[lines 298-307] M D NP: Method jersey.repackaged.com.google.common.collect.Multiset.equals(Object) overrides the nullness annotation of parameter $L1 in an incompatible way In Multiset.java H D NP: entry must be non-null but is marked as nullable At Maps.java:[line 1978] H D NP: entry must be non-null but is marked as nullable At Maps.java:[line 2008]
The first letter in the output refers to the severity of the (potential) bug — L for low, M for Medium and H for High — and the second refers to the category. In this case, P stands for Performance and D stands for Dodgy Code.
The tool perfectly integrates with Eclipse, Maven, Ant, Netbeans, Jenkins, Android Studio, and IntelliJ. Also, SpotBugs supports a plugin architecture allowing anyone to add new bug detectors, which brings us to the next tool.
4. Find Security Bugs
Find Security Bugs is a plugin for SpotBugs adding checks for 80 additional different vulnerability types. You’ll find a wide range of patterns relating to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects. It also supports several patterns specific to Android.
There’s also support for other common issues like hashing methods and DOS vulnerabilities, while not forgetting about simpler things like hard coded passwords.
As with similar tools in other programming languages, all of these Java Static Analysis tools complement each other, and we recommend you check all of them out if you care about code quality and avoiding technical debt.
Both PMD and CheckStyle are already integrated with Codacy, meaning you can start using them right away. Using Codacy means you’ll get the results all of these analyses done for you automatically every time you do a commit, plus an expandable list of issues giving additional details on the particular problem and how to solve it.
Integrating your repository with Codacy will also give you a good overview on the status of your project, and help you save up to 50 percent of time spent on code reviews. This way, you and your team can focus on what matters most and ship features faster. Try it for free with our Startup plan for up to four seats or by signing up for our free trial today.
Codacy is used by thousands of developers to analyze billions of lines of code every day!
Getting started is easy – and free! Just use your GitHub, Bitbucket or Google account to sign up.