Top 4 Java Static Code Analysis Tools



Before going over some of top static code analysis tools for Java, lets quickly look at why do we need static code analysis in the first place? Following are some of the reasons:

  1. Rules compliance: Pre-defined rules can be set as per the coding standard and automated static analysis could be run to figure out rules violation. This does cut down on the manual code review for the related rules.
  2. Code quality metrics: The static analysis could be used to measure some of the following based on which software code quality can be measured:
    • Code complexity
    • Unit test coverage
    • Re-usability
    • Duplication
  3. Reports: Creates management reports that can be used to monitor the software code quality trend of various different teams.

If you have been looking for some of the effective static code analysis tool for Java, following are top 5 of them which I found very useful:

  1. PMD: A Java source code analyzer based upon  static rule set that identifies potential problems. It is used to identify possible bugs, and code smells such as duplicate code, dead code, code high cyclomatic complexity etc. One could write custom rules and have it run in the code analysis as well.
  2. CheckStyle: Besides some static code analysis, it can be used to show violations of a configured coding standard. It is a development tool to help programmers write Java code that adheres to a coding standard.
  3. FindBugs: An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland. FindBugs uses static analysis to identify hundreds of different potential types of errors in Java programs. It is free software, distributed under the terms of the Lesser GNU Public License.
  4. Sonar: Sonar is a static code analysis tool which supports the usage of one of the above as plugin. It analyzes the code, provides data in relation with unit test coverage, code complexity, duplication, documentation, reusability. There are various plugins which can measure software quality metrics.


Ajitesh Kumar
Follow me

1 Comment

  1. Hello Mr. Ajitesh.
    I am an Information Security Analyst (first time) at a small but awesome company and we use Veracode for static code analysis (for java). We are sick and tired of all the false positives it report in addition to the fact that it does not recognize custom sanitizers. My engineers are sick of it as well and we have been looking for something better. We find 1 true positive out of every 500 reported vulnerabilities.

    I have seen your list of recommended tools and would like to know if you compared them to Veracode?


    Thanks a lot in advance

Leave A Reply

Time limit is exhausted. Please reload the CAPTCHA.