Static Code Analysis maven plugins for Java

Maven provides following plugins for SCA (static code analysis) for Java code.

Checkstyle
FindBugs
PMD

Using reports and site plugins you can have above plugin generate SCA reports and incorporate them into Project maven site.

CheckStyle

It automates the process of checking java code, making it ideal for projects that want to enforce a coding standard. It is highly configurable and can be made to support almost any coding standard.

Checkstyle can check many aspects of your source code. It can find class design problems, method design problems. It also has the ability to check code layout and formatting issues. You can find details list of checks @ Check style list

<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-checkstyle-plugin</artifactId>
	<version>2.17</version>
	<reportSets>
		<reportSet>
			<reports>
				<report>checkstyle</report>
			</reports>
		</reportSet>
	</reportSets>
</plugin>

FindBugs

FindBugs scans byte code for so-called bug pattern to find defects and/or suspicious code. Findbugs provides early feedback about potential errors in the code. This helps the developer to access these problems early in the development phase. It can be integrated with many IDEs (Eclipse, IDEA, NetBeans and etc) and build tools (maven).

Each finding is reported as a warning, but not all of these warnings are necessarily defects, e.g. warnings referring to possible performance issues. FindBugs ranks bugs with a scale from 1 to 20 to measure the severity of defects: Scariest(1-4), Scary(5-9), Troubling(10-14), Of concern(15 – 20). This is a hint to the developer about the possible impact/severity of the warnings. The current version reports 400 warnings in the nine categories: Correctness, Bad practice, Performance, Multithreaded correctness, Internationalization, Malicious code vulnerability, Security and Dodgy. You can find details of bug descriptions @ findbugs

<plugin>
	<groupId>org.codehaus.mojo</groupId>
	<artifactId>findbugs-maven-plugin</artifactId>
	<version>3.0.5</version>
</plugin>

PMD

PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, PLSQL and etc. Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code in Java, JavaScript, PLSQL and etc.

PMD can be integrated with many IDEs (Eclipse, IDEA, NetBeans and etc) and build tools (maven). It uses rules to perform the source code analysis, and the rules are grouped into rulesets. The best feature of PMD, is its XPath Rules, bundled with a Rule Designer to let you easily construct new rules from code samples (similar to RegEx and XPath GUI builders). You can find details on current ruleset @ PMD Rulesets

<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-pmd-plugin</artifactId>
	<version>3.8</version>
</plugin>

Be the first to comment

Leave a Reply

Your email address will not be published.


*