Which Java static code analysis tools should I use?
When developing in Java, just like in every other language, you’re bound to make some mistakes. As we’ve explained in our article about static code analysis, using tools to cover some of your errors is a great idea. Because there’s a lot to choose from, we’ve rounded up the best Java static analysis tools you should know about.
1. PMD Java
Our first tool of choice, PMD, scans Java source code and looks for potential problems. These can range from breaking naming conventions and unused code or variables to performance and complexity of code — while not forgetting lots of possible bugs that could be spread around your code.
The tool seamlessly integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant, and Emacs. Here’s a sample of what running PMD through some code looks like:
pmd pmd -R java-basic,java-unusedcode -d Deck.java /Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'. /Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.
As the name implies, Checkstyle is all about checking that your code adheres to a specific coding standard. The tool is fully configurable to your preferences, enabling it to support different code style conventions — for example, you could use the Sun Code Conventions or Google Java Style depending on your preferences.
Speaking of configuration, all of this is done in an XML file where you can set which modules are to be used. Here’s a tiny example of what such a file looks like:
<module name="Checker"> <module name="NewlineAtEndOfFile"/> <module name="FileLength"/> </module>
Running this configuration against some code will result into something like this:
checkstyle -c checkstyle.xml Deck.java Starting audit... /Users/checkstyle/my/project/Blah.java:0: File does not end with a newline. /Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces. /Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done. Checkstyle ends with 3 errors.
It separates patterns into several categories: bad practice, correctness, malicious code vulnerabilities, multithreaded correctness, performance, security, and dodgy code. Two additional categories only cover a couple of patterns each — experimental and internationalization.
There are several ways of running FindBugs, but here’s what the command line interface can look like:
findbugs -textui . M P UuF: Unused field: java.deck.Deck.classVar2 In Deck.java M P UuF: Unused field: java.deck.Deck.instanceVar3 In Deck.java M D UuF: Unused public or protected field: java.deck.Deck.instanceVar2 In Deck.java M D UuF: Unused public or protected field: java.deck.Deck.classVar1 In Deck.java M D UuF: Unused public or protected field: java.deck.Deck.instanceVar1 In Deck.java Warnings generated: 5
The first letter in the output refers to the severity of the (potential) bug — L for low, M for Medium and H for High — and the second refers to the category. In this case, P stands for Performance and D stands for Dodgy Code.
The tool perfectly integrates with Eclipse, Maven, Netbeans, Jenkins, Hudson, and IntelliJ. Also, FindBugs supports a plugin architecture allowing anyone to add new bug detectors, which brings us to the next tool.
4. Find Security Bugs
Find Security Bugs is a plugin for FindBugs adding checks for 80 additional different vulnerability types. You’ll find a wide range of patterns relating to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects. It also supports several patterns specific to Android.
There’s also support for other common issues like hashing methods and DOS vulnerabilities, while not forgetting about simpler things like hard coded passwords.
As with similar tools in other programming languages, all of these Java Static Analysis tools complement each other, and we recommend you check all of them out if you care about code quality and avoiding technical debt.
Both PMD and CheckStyle are already integrated with Codacy, meaning you can start using them right away. Using Codacy means you’ll get the results all of these analyses done for you automatically every time you do a commit, plus an expandable list of issues giving additional details on the particular problem and how to solve it.
Integrating your repository with Codacy will also give you a good overview on the status of your project, and help you save up to 50 percent of time spent on code reviews. This way, you and your team can focus on what matters most and ship features faster. Try it for free with our Startup plan for up to four seats or by signing up for our free trial today.
Codacy is used by thousands of developers to analyze billions of lines of code every day!
Getting started is easy – and free! Just use your GitHub, Bitbucket or Google account to sign up.