Re's Blog: Java Static Code Analysis

Recently I tried out three popular Java code scan tools:

PMD
CheckStyle
SpotBugs (the successor of FindBugs).

While they can all be incorporated into continuous integration, in this case I run them from stand-alone command lines. I did not get a chance to try SonarQube yet, which may something interesting to check out later on.

PMD

PMD is straightforward to use.

/programs/pmd/bin/run.sh pmd -d /file/path/com/foo/Bar.java -format xml -rulesets pmd_rulesets.xml -language java

The scan result is returned in console as:

<?xml version="1.0" encoding="UTF-8"?>

<violation beginline="225" endline="241" begincolumn="9" endcolumn="9" rule="ConfusingTernary" ruleset="Design"

package="com.foo" class="Bar" method="getSomething" externalInfoUrl="https://pmd.github.io/pmd-5.8.1/pmd-java/rules/java/design.html#ConfusingTernary" priority="3">

Avoid if (x != y) ..; else ..;

</violation>

</file>

</pmd>

CheckStyle

CheckStyle is fairly straightforward to use. Tweak the style check file (sun_checks.xml) to your liking, then:

java -jar /some/path/checkstyle-8.2-all.jar -c /somelocation/sun_checks.xml -f /file/path/com/foo/Bar.java

This produces the xml scan result in console.

<?xml version="1.0" encoding="UTF-8"?>
<checkstyle version="8.2">
<file name="/file/path/com/foo/Bar.java">
<error line="100" column="5" severity="warning"
message="Missing a Javadoc comment." source="com.puppycrawl.tools.checkstyle.checks.javadoc.JavadocMethodCheck"/>
</file>
</checkstyle>

To link to CheckStyle web site for the explanation of the rule, you can map

com.puppycrawl.tools.checkstyle.checks.{ruleset}.{rule}Check
to
http://checkstyle.sourceforge.net/config_{ruleset}.html#{rule}

For example, for the rule
com.puppycrawl.tools.checkstyle.checks.javadoc.JavadocMethodCheck
we have
http://checkstyle.sourceforge.net/config_javadoc.html#JavadocMethod

SpotBugs

SpotBugs vs FindBugs makes another forking episode in Open Source. While FindBugs is still well alive, the force seems be with SpotBugs at this moment. Unlike PMD or CheckStyle, SpotBugs works on the binaries. It is a little harder to cajole, but definitely worth it.

#! /bin/sh

# The classes to be analyzed
SCAN_LIST='com.foo.Bar,com.foo.Goo'

# Add the jars needed by spotbugs to classpath
export CLASSPATH=/programs/spotbugs/libs/*:$CLASSPATH

# Auxiliary jar list
AUX_JARS='/path/aux_jars.txt'
ls /mywebapp/WEB-INF/lib/* > $AUX_JARS

/programs/spotbugs/bin/spotbugs -textui -progress -dontCombineWarnimlngs -xml:withAbridgedMessages -output /somewhere/output.xml -onlyAnalyze SCAN_LIST -maxHeap 2100 -auxclasspathFromFile $AUX_JARS /mywebapp/WEB-INF/classes

Whatever I do, I cannot make auxclasspath take a directory. So I end up adding each jar inside WEB-INF to auxclasspath.

With xml output, there are a few additional options to tweak the report:

xml:withAbridgedMessages, java classes and methods are referred to using abridged names instead of fully qualified names. For example, "Bar.SOME_CONST should be package protected." Personally, I like this option.
xml:withMessages, detailed messages are given in each bug instance. For example, "com.foo.Bar.SOME_CONST should be package protected."
xml:minimal, suppress all messages and statistics report.

To link to SpotBugs web site for each violation details, note the bug instance type

This should be linked to

http://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#MS_PKGPROTECT