Top 4 Java Static Code Analysis Tools

Static Code Analysis

[adsenseyu2]

Before going over some of top static code analysis tools for Java, lets quickly look at why do we need static code analysis in the first place? Following are some of the reasons:

Rules compliance: Pre-defined rules can be set as per the coding standard and automated static analysis could be run to figure out rules violation. This does cut down on the manual code review for the related rules.
Code quality metrics: The static analysis could be used to measure some of the following based on which software code quality can be measured:
- Code complexity
- Unit test coverage
- Re-usability
- Duplication
Reports: Creates management reports that can be used to monitor the software code quality trend of various different teams.

If you have been looking for some of the effective static code analysis tool for Java, following are top 5 of them which I found very useful:

PMD: A Java source code analyzer based upon static rule set that identifies potential problems. It is used to identify possible bugs, and code smells such as duplicate code, dead code, code high cyclomatic complexity etc. One could write custom rules and have it run in the code analysis as well.
CheckStyle: Besides some static code analysis, it can be used to show violations of a configured coding standard. It is a development tool to help programmers write Java code that adheres to a coding standard.
FindBugs: An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland. FindBugs uses static analysis to identify hundreds of different potential types of errors in Java programs. It is free software, distributed under the terms of the Lesser GNU Public License.
Sonar: Sonar is a static code analysis tool which supports the usage of one of the above as plugin. It analyzes the code, provides data in relation with unit test coverage, code complexity, duplication, documentation, reusability. There are various plugins which can measure software quality metrics.

[adsenseyu1]

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. For latest updates and blogs, follow us on Twitter. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking. Check out my other blog, Revive-n-Thrive.com

Next APIs is the Way to Go, You bet! »

Previous « How to Debug PHP Code?

View Comments

Larry says:

March 3, 2017 at 9:41 pm

Hello Mr. Ajitesh.
I am an Information Security Analyst (first time) at a small but awesome company and we use Veracode for static code analysis (for java). We are sick and tired of all the false positives it report in addition to the fact that it does not recognize custom sanitizers. My engineers are sick of it as well and we have been looking for something better. We find 1 true positive out of every 500 reported vulnerabilities.

I have seen your list of recommended tools and would like to know if you compared them to Veracode?

Sincerely

Thanks a lot in advance