Open Source Java Static Code Analyzers: PMD vs FindBugs vs Checkstyle

Reviewing java source code on a regular basis is a really good idea. All programmers take shortcuts in writing code. Shortcuts save time and usually go unnoticed…until something breaks at the wrong time. Besides catching pitfalls in code, java code analyzers can help keep coding consistent on a project. Running a code style analyzer on code can help ensure a team is formatting their code all the same way. Thankfully, the open source community has produced many java source code analyzers for catching problems or conventions before they reach a critical state. Three open source static analyzers stand out; PMD, Checkstyle and FindBugs.

PMD

PMD is an extremely useful tool in analyzing source code. According to the project website, it ‘scans source code and looks for potential problems, possible bugs, unused and suboptimal code, over-complicated expressions and duplicate code’. PMD comes with a huge set of rules that can analyze many different things in java code. To name a few:

– Empty try/catch blocks

– Over-complicated expressions

– Using .equals() instead of ‘==’

– Unused variables and imports

– Unnecessary loops and if statements

– Enforce naming conventions

Additionally, PMD comes with a copy-paste detector to find blocks of copied and pasted code. Best of all, custom PMD rules are easily written with XPath and a GUI included with the software.

Out of the box, reports from PMD are transformed with XSLT into HTML reports. A custom XSLT transformation can be written to cater to specific needs.

Here’s the result of running just 3 PMD rulesets on Apache Tomcat’s source.  There were just under 10,000 problems found.

FindBugs

FindBugs is another static code analyzer very similar to PMD.  The biggest difference between PMD and FindBugs is that FindBugs works on byte code, whereas PMD works on source code. FindBugs can find things like:

– Improper use of .equals() and .hashCode()
– Unsafe casts
– When something will always be null
– Possible StackOverflows
– Possible ignored exceptions

There is a lot of overlap between FindBugs and PMD. Because of the limitations of working with byte code or source code, each excels in their own area. They compliment each other, but are not the same thing.

Here’s the FindBugs GUI after running through the Apache Tomcat lib.

Checkstyle

Checkstyle is a tool for analyzing coding style and conventions. It’s not going to stop any rouge exceptions, but it will give feedback on how the code is put together. Checkstyle is useful to ensure java code is being written right. Here are some things Checkstyle will catch:

– Missing/improper javadoc
– Whitespace
– Placement of braces and parentheses
– Line length
– Naming conventions

Checkstyle is most-different from PMD and FindBugs. While it has checks for things like empty catch blocks and .equals() vs ‘==’, the main focus on the project is ensuring the coding style adheres to a set of conventions.