Home Developer Which Java static code analysis tools should I use?

Which Java static code analysis tools should I use?




When developing in Java, just like in every other language, you’re bound to make some mistakes. As we’ve explained in our article about static code analysis, using tools to cover some of your errors can help. Because there’s a lot to choose from, we’ve rounded up the best Java static code analysis tools you should know about.

1. PMD Java

pmd java

Our first tool of choice, PMD, scans Java source code and looks for potential problems. These can range from breaking naming conventions and unused code or variables to performance and complexity of code — while not forgetting lots of possible bugs that could be spread around your code.

Additionally, the PMD project also supports JavaScript, PLSQL, Apache Velocity, XML, XSL. It also ships with a CPD, a tool to detect duplicated code in several code languages.

The tool seamlessly integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant, and Emacs. Here’s a sample of what running PMD through some code looks like:

pmd pmd -R java-basic,java-unusedcode -d Deck.java
/Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'.
/Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.

With PMD, it’s possible to suppress warnings in a variety of ways and you can also write your own rules in either Java or XPath.

2. Checkstyle

As the name implies, Checkstyle is all about checking that your code adheres to a specific coding standard. The tool is fully configurable to your preferences, enabling it  to support different code style conventions — for example, you could use the Sun Code Conventions or Google Java Style depending on your preferences.

You can find a configuration file for Google’s Java Style on the checkstyle repository.

Speaking of configuration, all of this is done in an XML file where you can set which modules are to be used. Here’s a tiny example of what such a file looks like:

<module name="Checker">
  <module name="NewlineAtEndOfFile"/>
  <module name="FileLength"/>

Running this configuration against some code will result into something like this:

checkstyle -c checkstyle.xml Deck.java
Starting audit...
/Users/checkstyle/my/project/Blah.java:0: File does not end with a newline.
/Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces.
/Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done.

Checkstyle ends with 3 errors.

3. SpotBugs

SpotBugs specifically looks for bugs in Java Code, and it doesn’t just cover a couple of them — it works for over 400 different bug patterns.

It separates patterns into several categories: bad practice, correctness, malicious code vulnerabilities, multithreaded correctness, performance, security, and dodgy code. Two additional categories only cover a couple of patterns each — experimental and internationalization.

There are several ways of running SpotBugs, but here’s what the command line interface can look like:

./spotbugs /path/to/project
H B Eq: org.eclipse.jetty.util.security.Password.equals(Object) checks for operand being a String  At Password.java:[line 129]
H B Eq: org.eclipse.jetty.util.ArrayTernaryTrie$Growing.equals(Object) checks for operand being a ArrayTernaryTrie  At ArrayTernaryTrie.java:[line 630]
M D Eq: org.hibernate.validator.internal.util.annotationfactory.AnnotationProxy.equals(Object) is unusual  At AnnotationProxy.java:[lines 88-111]
M D Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) is unusual  At Types.java:[lines 439-459]
H B Eq: com.google.common.reflect.Types$TypeVariableImpl.equals(Object) checks for operand being a reflect.TypeVariable  At Types.java:[line 454]
M C Eq: ch.qos.logback.core.joran.spi.ElementSelector overrides equals in ElementPath and may not be symmetric  At ElementSelector.java:[lines 146-165]
M C Eq: javassist.bytecode.analysis.MultiArrayType overrides equals in Type and may not be symmetric  At MultiArrayType.java:[lines 134-138]
M C Eq: javassist.bytecode.analysis.MultiType overrides equals in Type and may not be symmetric  At MultiType.java:[lines 298-307]
M D NP: Method jersey.repackaged.com.google.common.collect.Multiset.equals(Object) overrides the nullness annotation of parameter $L1 in an incompatible way  In Multiset.java
H D NP: entry must be non-null but is marked as nullable  At Maps.java:[line 1978]
H D NP: entry must be non-null but is marked as nullable  At Maps.java:[line 2008]

The first letter in the output refers to the severity of the (potential) bug — L for low, M for Medium and H for High — and the second refers to the category. In this case, P stands for Performance and D stands for Dodgy Code.

The tool perfectly integrates with Eclipse, Maven, Ant, Netbeans, Jenkins, Android Studio, and IntelliJ. Also, SpotBugs supports a plugin architecture allowing anyone to add new bug detectors, which brings us to the next tool.

4. Find Security Bugs

Find Security Bugs is a plugin for SpotBugs adding checks for 80 additional different vulnerability types. You’ll find a wide range of patterns relating to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects. It also supports several patterns specific to Android.

There’s also support for other common issues like hashing methods and DOS vulnerabilities, while not forgetting about simpler things like hard coded passwords.

Book demo banner - Join over 200 000 developers shipping high-quality code with Codacy


As with similar tools in other programming languages, all of these Java Static Analysis tools complement each other, and we recommend you check all of them out if you care about code quality and avoiding technical debt.

Both PMD and CheckStyle are already integrated with Codacy, meaning you can start using them right away. Using Codacy means you’ll get the results all of these analyses done for you automatically every time you do a commit, plus an expandable list of issues giving additional details on the particular problem and how to solve it.

Integrating your repository with Codacy will also give you a good overview on the status of your project, and help you save up to 50 percent of time spent on code reviews. This way, you and your team can focus on what matters most and ship features faster. Try it for free with our Startup plan for up to four seats or by signing up for our free trial today.

About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.



Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

How does code quality fit into your CI/CD pipeline?

Continuous Integration and Continuous Deployment (CI/CD) are key for organizations wanting to deliver software at scale. CI/CD allows developers to automate...

How Stim uses Codacy to achieve high-quality code

We spoke with Tobias Sjösten, Head of Software Engineering at Stim, about how Codacy helps them guarantee code quality and standardization...

6 things developers should do to ship more secure code

Writing better, more secure source code is fundamental to prevent potential exploits and attacks that could undermine your software applications. However,...

Best practices for security code reviews

In today's interconnected world, where data breaches and cyber threats are increasingly common, one of your top priorities should be to...

April Product Update 🚀

Hi there 👋 It's been a whirlwind month, and we have big news to share: