Search Results

so far empty...

Loading

24 popular static analysis tools available for Java

  • 26 Minutes
  • 0 Comments
The title image for the blog post which shows a close-up of a screen of computer code with the Java logo on the right, and the title reading 'Static Analysis for Java' on the left.
  • Views: 541

The best static analysis tool for Java depends on the desired result. For checking basic formatting and best practices like naming conventions, Checkstyle is easy to set up and maintain. For more in-depth scanning to check for sub-optimal code and potential bugs, PMD or SpotBugs are your standard options. To obtain centralized configuration, easy integration into your environment, and the ability to check for up-to-date security vulnerabilities, stepping up to SasS services like Sonar, Codacy, or Embold will provide more opportunities. Snyk or Klocwork are good options for those with more security-focused needs. If you require enterprise-level coverage to adhere to industry standards and have the budget, an option like Veracode, Coverty’s Synopsys or Checkmarx might be the right choice.

First, what is static code analysis?

A static analysis process automatically checks source code for best practices, performance issues and security vulnerabilities. The analysis typically occurs when a developer creates the code and during the test phase of a build pipeline. These automated tools can help developers avoid known issues early in development, resulting in more efficient time use.

To learn more about how static analysis can benefit development teams – read Why is static code analysis important?

Each tool provides a range of options, so ensure you know which problems you expect to solve. Some focus on coding guidelines and best practices; most will provide some level of flagging bugs, security or performance issues. Still, some are straight-up SAST (static application security testing) products. Each product has its unique approach and focuses on specific aspects. Some just target code structure, others gear toward developer productivity, and some strictly deal with secure coding. Be sure to evaluate these options against your specific needs.

Checkstyle for Java

“Checkstyle can check many aspects of your source code. It can find class design problems, method design problems. It also has the ability to check code layout and formatting issues.” – checkstyle.sourceforge.io

Checkstyle is an open-source tool that ensures Java code adheres to a defined coding standard. It has default configurations for Google Java Style and Sun Code Conventions but is highly configurable based on an organization’s needs. Plug-ins are available for IntelliJ, Eclipse and VS Code and execution during build pipelines in Github, Jenkins and Bamboo is possible. However, as the name implies, Checkstyle is limited to checking for formatting problems in your source code.

Checkstyle is a great option to help your development team(s) create more readable, maintainable code. It can check for primary formatting issues, such as whitespace and new line usage, line length and proper use of braces and parenthesis. In addition, it can check for package naming conventions and keep your import statements ordered logically. Method, variable naming conventions, and JavaDoc verification are also helpful to ensure that developers write clean code. It will also check for potential problem areas like missing catch blacks or fall-through switch statements and report restrictions on the depth of nested if statements or for loops.

PMD

“PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth.” – pmd.github.io

PMD is also an open-source tool that can scan for best practices and coding styles like Checkstyle but also checks for potential performance problems and multithreading issues. It has pre-defined configurations, including a quick start ruleset, but it allows for configuring new custom rules. PMD has plug-ins for IntelliJ, Eclipse and others, and a third-party add-on is available for VS Code.

PMD can be enforced in your build process using Maven or Gradle by failing the build on violation of your rulesets. To integrate with your pipeline, a third party has developed a Jenkins plug-in that supports PMD. If you use Github, several third-party options may need to be pieced together for your specific situation. For example, you can use the PMD Github action to fail the build based on a count of the violations found. You could also utilize Github’s Advanced Security features to create code scanning alerts by generating and uploading a SARIF (Static Analysis Results Interchange Format) report as a build artifact, which is only available for private repositories on Github’s enterprise-level tier.

Like most free or open-source tools, PMD will likely require more effort to set up and maintain on its own than other paid tools. However, if you need a free option for developers to get immediate feedback during the development cycle, it can be a helpful tool. On the other hand, if you intend to use static analysis for Java as a regular part of your overall quality strategy, some investment in a commercially supported tool is probably warranted. Some other tools optionally use PMD as an underlying standard, so don’t be surprised if you end up using this along with other options.

SpotBugs

 

“SpotBugs is a program to find bugs in Java programs. It looks for instances of “bug patterns” — code instances that are likely to be errors.” – spotbugs.readthedocs.io

SpotBugs is another open-source tool that, as its name implies, helps find potential issues in code by looking at specific patterns. It is a successor to a previous version called FindBugs. Like others, it scans for; bad practices, correctness, malicious code, security and performance problems. It can be executed through various methods, including Maven or Gradle builds, and has IDE add-ons from third parties. It also has its own GUI program that runs locally. SpotBugs can run on compiled code or not, with compiled as the default option. The IDE keeps this easy by automatically compiling the code you are trying to scan, with the results easily viewed in its dedicated window.

As with other Java static analysis tools with Maven or Gradle plug-ins, you can configure SpotBugs to fail the build in your pipeline. In addition, GitHub actions exist from third parties to post analysis results as check run annotations. Additionally, if you want PR decoration, you could configure SpotBugs as a plug-in to an option like SonarQube.

Find Security Bugs

 

“The SpotBugs plugin for security audits of Java web applications.” – find-sec-bugs.github.io

Find Security Bugs is not a stand-alone static analysis for Java tool but an add-on to the SpotBugs plug-in. It detects 140+ different vulnerabilities, including OWASP top 10 and CWE. Since it just augments SpotBugs, it has all the same benefits and capabilities for integrating into your IDE and build pipeline.

Error Prone

Error Prone

“Using Error Prone to augment the compiler’s type analysis, you can catch more mistakes before they cost you time, or end up as bugs in production.” – errorprone.info

Error Prone is also an open-source tool offered by Google that integrates into your build process via Maven, Gradle, Ant etc. However, Error Prone’s integration with IDEs is limited because the tool executes during compilation, and the feedback is via command line warnings in your build window. But be warned that even though you can run Error Prone while you code in Eclipse because of its continuous compilation abilities, they recommend using FindBugs (or SpotBugs) instead for this use case.

Since Error Prone runs during compilation, running as part of your build pipeline is simple, but outputting the results is limited. Unless you can find third-party support, getting check run annotations or PR decoration from the Error Prone analysis results won’t be possible. If this is your first foray into static analysis for Java tools, others will allow you to make the first step much more effortless.

Infer

“Infer checks for null pointer exceptions, resource leaks, annotation reachability, missing lock guards, and concurrency race conditions in Android and Java code.” – fbinfer.com

Infer is yet another open-source tool, this time brought to you by the team at Facebook. The first consideration is that Infer on Windows is not supported. However, you can try running Infer in a Docker container if you can compile your project on a Linux virtual machine. If this is not a deal-breaker, you can make the same considerations as Error Prone, except there is no IDE integration. Infer also hooks into your compiler and provides a command-line interface for analyzing, capturing, comparing and reporting results.

No GitHub actions, Jenkins plug-ins etc., are available out of the box. Utilizing their provided Docker images to run Infer during your build process should be possible, but it would take some effort to get it running. As with Error Prone, it would be better to consider this option as an additional series of checks on top of an existing static analysis process. Infer doesn’t attempt to duplicate what other tools already catch anyway. Instead, it scans for deeper, infer-procedural bugs that might span multiple files.

jQAssistant

“jQAssistant is a QA tool, which allows the definition and validation of project specific rules on a structural level.” – jqassistant.org

jQAssistant is different from some of the others on the list. It is a Java static analysis tool that validates the structure of your codebase based on the specific rules you specify. It can be incorporated into your build process using Maven or Gradle, although finding detailed Gradle instructions is a little more challenging. It uses various plug-ins to perform checks in areas such as; Spring, JPA, JUnit, EE 6, XML, JSON etc. While some default rules and constraints are included in each plug-in, writing new rules comes with a learning curve that may not be feasible if you are only starting.

Scanning, analyzing and creating reports can be implemented as part of the build process if desired. Internally it uses a Neo4J data store between each step that gets created, populated and read during the build to create the reports, which also requires its own rules. You could publish the final reports as an artifact from a GitHub action (for example) if you want to retain the results of each analysis. While this tool provides a lot of flexibility to check for specific architectural coding issues, the setup and maintenance of jQAssistant is undoubtedly more effort than others.

Parasoft JTest

“Validate code reliability and security and reduce vulnerabilities through compliance checks for CWE, OWASP, & more.” – parasoft.com

Parasoft provides many products related to software testing, with Parasoft JTest being the option for Java. JTest uses multiple proprietary checkers to ensure code complies with security standards and code style guidelines and looks for potential bugs and optimizations. Eclipse and IntelliJ have plug-ins for JTest, but no Java-specific plug-in is currently available for VS Code. To integrate JTest with your build pipeline, you utilize your build tool (Ant, Maven or Gradle), and a SARIF file can be generated and included as a build artifact. To use this file in GitHub, you must have a subscription to the code scanning alerts feature available in the enterprise tier.

Akin to other full-featured options available, you can create centralized custom rules to share across the organization. JTest includes checkers for security compliance for secure coding standards, including OWASP, CERT, CWE, PCI DSS and UL 2900. Still, it has other features, such as monitoring code coverage and optimizing test execution to only modified code. In addition, Parasoft offers many other software testing products, with the consolidated results from these various tools optionally included in their Development Testing Platform (DTP). The Parasoft suite might be worthwhile if you want a product to help with web, API, load or dynamic security testing in addition to static analysis.

CodeSec and Contrast Scan

“Contrast Scan is a code scanning tool built from the ground up to make security testing as routine as a code commit while focusing on the most imperative vulnerabilities to deliver fast, accurate and actionable results.” – contrastsecurity.com

CodeSec is a free command line static analysis for Java tool provided by Contrast Software. It includes static analysis scanning and software composition analysis, which can be used locally and in your pipeline via GitHub actions. Of course, the free version has limitations. In this case, you can only perform 200 scans per month. To remove these limits, they offer Contract Scan and Contrast SCA as individual products or part of their more prominent Contrast Secure Code Platform that provides other security and testing tools.

Contrast provides multiple options to perform scans via the command line, build tools such as Gradle and Maven, GitHub actions or even via API call to upload your code securely. In addition, they provide many integrations with IDEs, incident management platforms, CI/CD pipeline providers, vulnerability management systems and various webhook and SDK options. They advertise faster scanning speeds and precise remediation guidance, which can be plugged directly into existing pull request workflows. The free CodeSec tool can provide some insights on what to expect from their services, and then you can evaluate if stepping up to their Contract Scan or the entire platform is a good option for you.

DeepSource

“Analyze every pull-request to find and fix code quality issues before you merge. No CI setup required.” – deepsource.io

DeepSource is a code health platform covering services for static analysis, SAST, code coverage, infrastructure-as-code scanning, etc. DeepSource integrates directly with your GitHub, GitLab, Bitbucket or Google-based repositories to run on every commit or pull request. There are no IDE plug-ins available, though. As a result, developers must often commit and push their code changes to get fast feedback on their work.

Developers can benefit from their Autofix feature, which automatically creates a pull request from issues found during scans. They also provide the functionality to utilize existing code formatting tools to ensure your code adheres to your chosen code guidelines automatically. For the security-mind individuals, their platform will ensure OWASP top 10 and SANS/CWE Top 25 vulnerabilities are detected and, potentially, automatically fixed. With centralized configuration and reporting plus the potential for developers to move quickly on repairing security vulnerabilities, engineering leaders have a lot to like. Assuming that is, not having any IDE plug-ins isn’t a deal breaker.

Code Climate

“Automated code review for test coverage, maintainability, and more so you can save time and merge with confidence.” – codeclimate.com

Code Climate offers two products, with Quality being the tool’s name that provides static analysis for Java. Their Velocity product focuses on engineering management. For local development, there is a CLI provided but no supported IDE plug-ins. Quality can only hook into a GitHub repository for pipeline integration, allowing inline pull request comments from the various configured scans. Additionally, you can install a browser plug-in that connects to your logged-in Code Climate session to provide decoration directly inline when viewing open pull requests on GitHub.

Code Climate analyzes for cognitive and cyclomatic complexities, code duplication and overall maintainability. While limited in their offering, you can integrate many different plug-ins, including PMD, Sonar and Checkstyle. You can also utilize code coverage reporting and configure quality gates to control whether you allow a merge for a pull request. Also, note that only pull requests to the default branch in GitHub are currently supported, so consider your current branching strategy if this is a feature you want to utilize.

To read more about git branching strategies – read What to consider when choosing a Git branching strategy.

Embold

“Waiting for the technical debt to skyrocket to take action is old school and expensive. Embold helps you find issues before they happen!” – embold.io

Embold is a plug-and-play SaaS service that hooks directly into your repositories, scans for code quality issues and performs PR decoration with the results. Embold also provides IDE plug-ins to allow developers to scan files during implementation and get quick feedback on potential problems. In the IDE, you can sort issues by criticality, anti-design patterns, or code quality issues, allowing you to focus on the areas of most importance.

In addition to the code quality scanning capabilities, Embold offers visualizations to aid in refactoring efforts. For example, heatmaps help offer suggestions on partitioning code for better maintainability. Furthermore, Embold focuses on preventing technical debt by allowing you to set quality gates and KPIs to prevent poor coding practices from making it into the code base as early into the development cycle as possible. Finally, with the free IDE plug-in and a free tier allowing a maximum number of lines of code scanned, evaluating their service does not require much effort.

Snyk

 

“Secure your code as it’s written with static application security testing built by, and for, developers.” – snyk.io

Snyk is a newer competitor but quickly gained market share due to a focus on developer useability and security. Snyk Code (SAST) is the specific product that scans for security vulnerabilities against OWASP top 10, SANS top 25 and CWE. For Java, it will provide additional scanning for common frameworks such as Struts, Spring MVC and Spring JDBC. While many tools scan locally for IDE integration, Snyk sends the code to their service for analysis and reports the results to the plug-in. Generally, you should know how these tools operate to ensure they meet your security or privacy concerns.

Snyk will integrate directly into your build pipeline to perform security scans against every pull request, and quality gates will determine if the pull request can proceed. Unfortunately, Snyk does not provide inline pull request decoration. However, it will allow you to link to the Snyk website to view further details about any SAST issues found. At the time of writing, this feature is in closed beta, so check the status of this feature if this is important to your decision.

TeamScale