Maven provides following plugins for SCA (static code analysis) for Java code.
Using reports and site plugins you can have above plugin generate SCA reports and incorporate them into Project maven site.
It automates the process of checking java code, making it ideal for projects that want to enforce a coding standard. It is highly configurable and can be made to support almost any coding standard.
Checkstyle can check many aspects of your source code. It can find class design problems, method design problems. It also has the ability to check code layout and formatting issues. You can find details list of checks @ Check style list
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> <version>2.17</version> <reportSets> <reportSet> <reports> <report>checkstyle</report> </reports> </reportSet> </reportSets> </plugin>
FindBugs scans byte code for so-called bug pattern to find defects and/or suspicious code. Findbugs provides early feedback about potential errors in the code. This helps the developer to access these problems early in the development phase. It can be integrated with many IDEs (Eclipse, IDEA, NetBeans and etc) and build tools (maven).
Each finding is reported as a warning, but not all of these warnings are necessarily defects, e.g. warnings referring to possible performance issues. FindBugs ranks bugs with a scale from 1 to 20 to measure the severity of defects: Scariest(1-4), Scary(5-9), Troubling(10-14), Of concern(15 – 20). This is a hint to the developer about the possible impact/severity of the warnings. The current version reports 400 warnings in the nine categories: Correctness, Bad practice, Performance, Multithreaded correctness, Internationalization, Malicious code vulnerability, Security and Dodgy. You can find details of bug descriptions @ findbugs
<plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>findbugs-maven-plugin</artifactId> <version>3.0.5</version> </plugin>
PMD can be integrated with many IDEs (Eclipse, IDEA, NetBeans and etc) and build tools (maven). It uses rules to perform the source code analysis, and the rules are grouped into rulesets. The best feature of PMD, is its XPath Rules, bundled with a Rule Designer to let you easily construct new rules from code samples (similar to RegEx and XPath GUI builders). You can find details on current ruleset @ PMD Rulesets
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-pmd-plugin</artifactId> <version>3.8</version> </plugin>