The best way to protect your Java code from avoidable bugs is to use static code analysis tools that can help you find and fix problematic code before it reaches production. Let's look at some popular static code analysis tools that can be used to test code from a number of different angles.
DeepSource
DeepSource delivers what is probably the best static code analysis you can find for Java. The DeepSource Java analyzer detects 190+ code quality issues, including performance bugs, security risks, bug risks, and anti-patterns. Currently, It supports Gradle Java projects, and in the future, DeepSource will add support for Maven and Android too. DeepSource is also working on bringing Autofix support to the Java analyzer, which will let developers fix issues without writing a single code line.
Features
- Detects more than 170 code quality issues.
- OpenJDK versions 8 to 14 are currently supported.
Integration: Gradle
Licensing: Free to use for open-source, Students, and Non-Profit Organisations. Paid plans starts from 12 USD user/month.
SonarQube
SonarQube is the open-source suite of java static code analysis tools that combines the features of tools such as FindBugs and PMD. SonarQube has very intuitive dashboards that maintain history to help developers track Java code quality over time. SonarQube uses advanced techniques like pattern matching and dataflow analysis to analyze code and identify code smells, bugs, and security vulnerabilities.
Features
- It has 597 rules to detect various code quality issues.
- Java language versions supported up-to 14.
Integration: Maven, Gradle, Ant.
Licensing: Community edition is free and open source. License for commercial editions starts at €120.
SpotBugs
SpotBugs is FindBugs' successor. It is a Java static code analysis tool that examines JVM bytecode and finds traces of potential errors and security vulnerabilities by identifying coding defects. These defects are reported as warnings, but not all of the warnings reported are necessarily defects, e.g., warnings referred to possible performance issues. The latest version reports more than 400 warnings, and all warnings are classified into four ranks: (i) scariest, (ii) scary, (iii) troubling, (iv) of concern.
Features
- Detects more than 400 bug patterns in code.
- SpotBugs requires JRE (or JDK) 1.8.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.9.
Integration: Ant, Maven, Gradle.
Licensing: Free and open-source
PMD
PMD analyzes Java source code, validates it with its list of rules, and reports offending lines to the user. PMD can determine common issues such as the hard coding of passwords and IP addresses, the use of the forEach
loop instead of a traditional for
loop, and code that seems to violate the Law of Demeter or implement the God Class anti-pattern.
Features
- More than 250 rules to detect issues in java.
- language support till Java 13
Integration: Maven, Gradle.
Licensing: Free and open-source
EclEmma
EclEmma(based on the JaCoCo library) is a free Java code coverage tool for Eclipse. It is a toolkit for measuring code coverage in a java code base and presenting coverage data through visual reports. It highlights the lines of code and the total percentage of code executed, and tracks both line and branch coverage. EclEmma helps developers assess code that has not been adequately tested and focuses on low coverage areas. It supports 3 types of report formats: HTML, XML & CSV.
Features
- Supports Java class files from version 1.0 to 14.
Integration: Ant, Maven.
Licensing: Free and open-source
Checkstyle
Checkstyle is a java static analysis tool that helps developers automate the process of defining a style guide and enforcing coding standards within the enterprise. Checkstyle identifies rules that are violated and help them fix and reformat the code with IDEs such as Eclipse, IntelliJ IDEA or NetBeans. Categories of violations include wildcard imports and whitespace usage around generic tokens.
Features
- More than 180 checks to enforce java coding style.
- Language support till Java 14.
Integration: Ant, Maven.
Licensing: Free and open-source
JArchitect
JArchitect is a Java static analysis tool that evaluates code metrics such as the number of method parameters, variables and lines of code, cyclomatic complexity, afferent and efferent coupling, and so forth. It measures, queries, and visualizes your code and avoid unexpected issues, technical debt, and complexity.
Features
- Language support from Java 8 to 13.
- More than 450 rules.
Integration: Maven, Gradle, Ant.
Licensing: Free Trial for 14days, Open source license for Free for Non-commercial open source software projects, Personal License - $149, Developer Edition - $299, Build Machine - $549. Submit the form here to get the pertinent pricing and info for JArchitect.
JUnit
JUnit is a popular unit testing framework for Java development projects that allows developers to write and run unit tests for Java 8 and above. JUnit tests the state and the behavior of the code with simple yet powerful assertion statements. It is easy to get started with JUnit, and It offers a variety of additional features using annotations for more complex scenarios.
Features
- JUnit 5(latest release) requires Java 8 (or higher) at runtime.
Integration: Maven, Gradle, Ant
Licensing: Free and open-source