Best Java static code analysis tools for code quality automation

One of the best ways to protect your software project from avoidable bugs is the use of Java static code analysis tools. These tools can help identify and fix problematic code before it reaches production.

Let's look at five popular Java static code analysis tools that can be used to test code from a number of different angles.

Checkstyle

As software development teams expand, it becomes increasingly more important to properly define a style guide and enforce coding standards within your enterprise. The Java static code analysis tool Checkstyle will automate this process.

Checkstyle enforces rules that are simple and, when violated, easily fixed with an IDE such as NetBeans or Eclipse to reformat the code. Violations that fall into this category include wildcard imports and whitespace usage around generic tokens.

Checkstyle also includes a set of rules that dig deeper into the code base, identify software design problems and common coding errors. Some examples that fall into this latter category include not implementing the MagicNumber anti-pattern or failing to design for class extension. Developers can get instant feedback about changes to the quality of the code they write when they integrate the Checkstyle plugin into Jenkins or Maven builds.

Checkstyle code quality report
The Java static code analysis tool Checkstyle report on code quality.

PMD

PMD, often referred to as the programmer mistake detection tool, examines uncompiled Java source code and compares it against a repository of known anti-patterns and common mistakes. After a Java static code analysis runs, PMD provides a report of the offending lines of code.

PMD can identify common problems such as the hard coding of passwords and IP addresses, the use of a traditional for loop where a forEach loop would make more sense and code that seems to implement the God Class anti-pattern or violates the Law of Demeter.

FindBugs

While PMD works on source code, the FindBugs tool looks for code smells in compiled Java code. This Java static code analysis tool sifts through bytecode and finds sources of potential errors and security vulnerabilities via identification of coding errors such as:

  • a Thread.sleep() method held within a lock;
  • final classes that have protected fields;
  • self-assignments of local variables; and
  • redundant comparisons of null values.

FindBugs combined with PMD provides a powerful set of Java static code analysis tools.

JaCoCo

JaCoCo is a Java tool concerned with test coverage. It takes a look at your unit tests and generates a report that describes how much of your source code is covered. Organizations can then set code coverage rules in their build and integration tools, and specify that if a class, module or project doesn't meet a certain code coverage threshold, it won't be moved into production.

JaCoCo also calculates the McCabe cyclomatic complexity score for each method examined, which helps to identify code that will likely be difficult to troubleshoot and maintain.

JaCoCo report
Report from the JaCoCo Java code quality test tool.

Open source JaCoCo plugs into Eclipse and easily integrates into Jenkins pipeline builds. A unit test tool such as JaCoCo is essential for organizations that want to ensure that they test every line of code put into production.

Another popular tool for code coverage and cyclomatic complexity identification is Cobertura.

SonarQube

SonarQube advocates testing software applications on these seven axes of quality:

  1. Enforce coding standards.
  2. Identify and eliminate bugs.
  3. Properly document the solution.
  4. Eliminate copy-and-paste type code duplication.
  5. Reduce code complexity.
  6. Enforce complete code coverage.
  7. Enforce commonly accepted design strategies.
SonarQube quality report
Sample report from the SonarQube Java code quality tool.

SonarQube does this because it builds upon PMD, Findbugs and Checkstyle. It also includes other open source plugins -- such as Cobertura -- along with a good deal of custom code, to provide a static code analysis tool dashboard. SonarQube adds a number of reporting features that allow teams to track progress over time, and it provides immediate insight into whether a project's internal quality improves or deteriorates as development continues.

Java static code analysis tools list
Checkstyle Enforces coding standards such as whitespace usage, bracket alignment and tabbed indentations.
PMD Evaluates source code for common programming mistakes, such as variables that are never initialized, blocks of code that cannot be reached and outdated coding structure usage.
FindBugs Evaluates compiled Java code and informs the user of potential security flaws or performance problems. Two examples include synced threads inside a lock and public exposure of variables when they should be private.
JaCoCo A Java code quality tool that performs code coverage tests. It also reports on the cyclomatic complexity of code, an indicator that code will be difficult to troubleshoot and maintain.
SonarQube An open source suite of Java static code analysis tools that combines the features of tools such as FindBugs and PMD. It provides an easy-to-use dashboard and maintains a history to help track Java code quality over time.

Every developer wants to produce high-quality Java code, but tight deadlines and short sprints sometimes result in a loss of focus. With Java static code analysis tools integrated into the build and deploy process, developers can be confident that inadvertent errors won't make their way into a production release.

View All Videos