Saturday 11 January 2014

Java power tools series - Static Code Analyzers - Preface

I hope, you have already read "Preface" of my java power tools series.

Does this sound familiar to you?
At this stage - you don't perform code review at all / peer review is performed without using any tools. That means, you write the code and try to trust on knowledge of own/peer/team lead to ensure quality accredited standards.  Well, this can never produce consistent outcome. So now you are looking for better option or you got hints that you should use the tool to let you tell that what are problems in the code and may be how to fix/improve...

What is static code analyzer tool?

  • The tool which can scrutinize the code artifacts (without executing program) for given purpose such as review for
    • coding conventions,
    • coding standards,
    • potential bugs,
    • performance issues,
    • security flaws,
    • concurrency issues,
    • cyclic dependencies...
  • Ideally, such tools would find the common problems in the code with a high degree of confidence that what is found is indeed a flaw. On top of that few tools would recommend the solutions too for the identified problems/flaws.
  • Most of Java code analyzer tools are designed to work by integrating into Eclipse IDE (as it is used widely), so the immediate feedback can be provided to the java developer during the development cycle itself.


Few parameters to consider for the scoping of code analyzer tools
All tool cannot fit in your project environment. So first of all you need to check features of selected tools against the parameters applicable to your project need. Then you should proceed to setup tool and try practically for envisioned benefits. You can consider some of below parameters for the scoping of code analyzer tools for the project.
  • Purpose -
    • Want to ensure overall code quality management?
    • Need to audit code for specific area such as security, performance, multi-threading?
  • Supported platform / language / developer's IDE -
    • Windows, Linux, other?
    • Java, .NET, other?
    • Does it only support Eclipse IDE or other also? Can it run in standalone mode?
  • Supported type of artifacts -
    • Does it work with source code?
    • Can it run against binaries (class files) instead of source?
    • Can it work with build files (jar, war, ear)?
  • Ease of setup / Learning curve -
    • Is it easy to setup or does it require complex manual configuration?
    • Can new user learn and use tool easily or is there a need of specialized training?
  • License cost -
    • Free or Open Source?
    • Commercial (are sold as perceptual, floating, per user, per application, per organization...)?


My Favorite Tools for Java
Below are some of my favorite static code analyzer tools and each of those I would cover in separate post.

Tools
When to use?
  • Are you looking for a tool to enforce coding conventions and standards in code? Then you can use Checkstyle.
  • Do you want a tool to detect bad practices in code? Then you can use PMD.
  • Now do you need a tool even to find potential bugs in code for you? Then you can use FindBugs.
  • For best results, you should use Checkstyle + PMD + FindBugs.
        • I know, you must be thinking - cannot be single Eclipse plug-in which can provide ability of "Checkstyle + PMD + FindBugs" and more such as code coverage, dependency analysis…? Well, you can consider Codepro Analytix.
        • Do you want to analyze dependencies at class, package or container level? Do you want to understand dependency (all/direct/indirect) paths using diagrams generated from code? Do you want to find cyclic dependencies? Then you can use Codepro Analytix tool - dependency analysis feature.
          • Are you looking for platform to help you on continuous overall code quality management? Then you can consider SonarQube and Jenkins integration to improve software quality to increase the efficiency of your development teams and the longevity of your application. Don't miss to read deal with developers' seven deadly sins using SonarQube.
          • Do you want to generate DSM (dependency structure matrix) from code artifacts to manage dependencies of complex java applications by  removing cycles between packages by cutting undesired dependencies? Then you can use SonarQube DSM.
            • Are you looking for easy-to-use tool to help you on managing complex Java code base, achieving high code quality and performingarchitecture evaluation of existing or legacy java software for refactoring / re-engineering / migration / modernization? Then JArchitect can provide you immense benefits by its interactive CQLinq (code query linq), visualized diagrams, comprehensive reports and other features. Don't miss to watch 3 minutes demo of JArchitect.
                • You are working on web or J2EE application, in which security is most critical parameter. So are you thinking about a tool to audit for known security problems and help you to fix? Then you can consider Find Security Bugs or Eclipse LAPSE+ tools.
                  EclEmma (free), eCobertura (free)
                  • You write unit test code (i.e. jUnit) and want to audit quality of test coverage? Then perform code coverage (a         measure used to describe the degree to which the source code of a program is tested by a particular test suite) analysis directly into the Eclipse IDE using EclEmma or eCobertura plug-ins.


                  Few good to know
                  Below are some of interesting  code analyzer tools. In past I evaluated basic features of those, and hence I would not aim to cover in separate post for now. I recommend to try any of those based on my initial knowledge, if you get opportunity.
                  • Sonatype CLM (Commercial) - for component lifecycle management
                  • Code coverage tools
                    • Crap4j (free) - Java implementation of the CRAP (Change Risk Analysis and Predictions) software metric, which combines cyclomatic complexity and code coverage from junit tests. Integrated with Eclipse and Ant.
                    • Emma (free) - Supported coverage types are class, method, line, basic block. Can execute via Command line and Ant.
                    • Covertura (free) - Supports both line and branch coverage. Can execute via Command line, Ant and Maven.
                    • Clover (commercial) - Apart from Java, supports  Groovy too. Integrates with known IDEs, Build and CI tools.
                  • Miscellaneous
                    • Contemplate ThreadSafe (commercial) - java code audit tool for multi-threaded application, which helps to improve developers’ ability to detect data race errors, dead-locks and concurrency problems in Java source code.
                    • CheckThread (free) - java static code analysis tool for multi-threaded application, which helps to catch Java concurrency bugs at compile time.
                    • Checker Framework (free) - a pluggable java type checking tool that warns about certain errors or gives a guarantee that those errors do not occur such as null pointer exceptions, unintended side effects, SQL injections, concurrency errors, mistaken equality tests, and other run-time errors that appear during testing or in the field. Checker Eclipse plugin is also available.
                    • Class Dependency Analyzer (free) - a tool for dependency analysis among classes.
                    • BundleMaker (free) - an Eclipse plugin for Dependency Structure Matrix.
                    • CodeAnalyzer (free) - produces a software source file metrics includes ratio of total lines vs. code lines vs. comments vs. white spaces; and supports html, java, c, c++ file extensions.


                  Updates History

                  • 28/Dec/2014 - Added JArchitect in my favorite tools section.


                  Disclaimer
                  I don't aim to exploit code of any open source project or sample application, while I share my evaluation feedback of given tool on selected publicly available code. Also I am not biased to particular free or commercial tools, rather my objective is about sharing my own experience on set of tools.

                  Also Refer

                  1 comment:

                  1. Completely agree. This blog nicely explain all aspects of code analysis and static code analysis benefits. Thanks for sharing informative blog.

                    ReplyDelete