Which Java static code analysis tools should I use?

When developing in Java, just like in every other language, you’re bound to make some mistakes. As we’ve explained in our article about static code analysis, using tools to cover some of your errors is a great idea. Because there’s a lot to choose from, we’ve rounded up the best Java static analysis tools you should know about.

1. PMD Java

pmd java

Our first tool of choice, PMD, scans Java source code and looks for potential problems. These can range from breaking naming conventions and unused code or variables to performance and complexity of code — while not forgetting lots of possible bugs that could be spread around your code.

Additionally, the PMD project also supports JavaScript, PLSQL, Apache Velocity, XML, XSL. It also ships with a CPD, a tool to detect duplicated code in several code languages.

The tool seamlessly integrates with several tools and editors, including Eclipse, NetBeans, IntelliJ IDEA, TextPad, Maven, Ant, and Emacs. Here’s a sample of what running PMD through some code looks like:

pmd pmd -R java-basic,java-unusedcode -d Deck.java
/Users/pmd/my/project/Deck.java:35: Avoid unused private fields such as 'classVar2'.
/Users/pmd/my/project/Deck.java:47: Avoid unused private fields such as 'instanceVar3'.

With PMD, it’s possible to suppress warnings in a variety of ways and you can also write your own rules in either Java or XPath.

2. Checkstyle

As the name implies, Checkstyle is all about checking that your code adheres to a specific coding standard. The tool is fully configurable to your preferences, enabling it  to support different code style conventions — for example, you could use the Sun Code Conventions or Google Java Style depending on your preferences.

You can find a configuration file for Google’s Java Style on the checkstyle repository.

Speaking of configuration, all of this is done in an XML file where you can set which modules are to be used. Here’s a tiny example of what such a file looks like:

<module name="Checker">
  <module name="NewlineAtEndOfFile"/>
  <module name="FileLength"/>
</module>

Running this configuration against some code will result into something like this:

checkstyle -c checkstyle.xml Deck.java
Starting audit...
/Users/checkstyle/my/project/Blah.java:0: File does not end with a newline.
/Users/checkstyle/my/project/Deck.java:23: Line has trailing spaces.
/Users/checkstyle/my/project/Deck.java:70: Line has trailing spaces.
Audit done.

Checkstyle ends with 3 errors.

3. FindBugs

FindBugs specifically looks for bugs in Java Code, and it doesn’t just cover a couple of them — it works for over 400 different bugs.

It separates patterns into several categories: bad practice, correctness, malicious code vulnerabilities, multithreaded correctness, performance, security, and dodgy code. Two additional categories only cover a couple of patterns each — experimental and internationalization.

There are several ways of running FindBugs, but here’s what the command line interface can look like:

findbugs -textui .
M P UuF: Unused field: java.deck.Deck.classVar2  In Deck.java
M P UuF: Unused field: java.deck.Deck.instanceVar3  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.instanceVar2  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.classVar1  In Deck.java
M D UuF: Unused public or protected field: java.deck.Deck.instanceVar1  In Deck.java
Warnings generated: 5

The first letter in the output refers to the severity of the (potential) bug — L for low, M for Medium and H for High — and the second refers to the category. In this case, P stands for Performance and D stands for Dodgy Code.

The tool perfectly integrates with Eclipse, Maven, Netbeans, Jenkins, Hudson, and IntelliJ. Also, FindBugs supports a plugin architecture allowing anyone to add new bug detectors, which brings us to the next tool.

4. Find Security Bugs

Find Security Bugs is a plugin for FindBugs adding checks for 80 additional different vulnerability types. You’ll find a wide range of patterns relating to OWASP 10 vulnerabilities, from different types of injection and XSS protection to sensitive data exposure and unvalidated redirects. It also supports several patterns specific to Android.

There’s also support for other common issues like hashing methods and DOS vulnerabilities, while not forgetting about simpler things like hard coded passwords.

Conclusion

As with similar tools in other programming languages, all of these Java Static Analysis tools complement each other, and we recommend you check all of them out if you care about code quality and avoiding technical debt.

Both PMD and CheckStyle are already integrated with Codacy, meaning you can start using them right away. Using Codacy means you’ll get the results all of these analyses done for you automatically every time you do a commit, plus an expandable list of issues giving additional details on the particular problem and how to solve it.

Integrating your repository with Codacy will also give you a good overview on the status of your project, and help you save up to 50 percent of time spent on code reviews. This way, you and your team can focus on what matters most and ship features faster. Try it for free with our Startup plan for up to four seats or by signing up for our free trial today.

 


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

Best PracticesSoftware Development

Related Articles