Reviewing Java source code on a regular basis is a really good idea. All programmers take shortcuts in writing code. Shortcuts save time and usually go unnoticed…until something breaks at the wrong time. Besides catching pitfalls in code, java code analyzers can help keep coding consistent on a project. Running a code style analyzer on code can help ensure a team is formatting their code all the same way. Thankfully, the open-source community has produced many java source code analyzers for catching problems or conventions before they reach a critical state. Three open-source static analyzers stand out; PMD, Checkstyle and FindBugs.
PMD
PMD is an extremely useful tool for analyzing source code. According to the project website, it ‘scans source code and looks for potential problems, possible bugs, unused and suboptimal code, overcomplicated expressions and duplicate code’. PMD comes with a huge set of rules that can analyze many different things in java code. To name a few:
– Empty try/catch blocks
– Over-complicated expressions
– Using .equals() instead of ‘==’
– Unused variables and imports
– Unnecessary loops and if statements
– Enforce naming conventions
Additionally, PMD comes with a copy-paste detector to find blocks of copied and pasted code. Best of all, custom PMD rules are easily written with XPath and a GUI included with the software.
Out of the box, reports from PMD are transformed with XSLT into HTML reports. A custom XSLT transformation can be written to cater to specific needs.
Here’s the result of running just 3 PMD rulesets on Apache Tomcat’s source. There were just under 10,000 problems found.
FindBugs
FindBugs is another static code analyzer very similar to PMD. The biggest difference between PMD and FindBugs is that FindBugs works on byte code, whereas PMD works on source code. FindBugs can find things like:
– Improper use of .equals() and .hashCode()
– Unsafe casts
– When something will always be null
– Possible StackOverflow
– Possible ignored exceptions
There is a lot of overlap between FindBugs and PMD. Because of the limitations of working with byte code or source code, each excels in their own area. They compliment each other but are not the same thing.
Here’s the FindBugs GUI after running through the Apache Tomcat lib.
Checkstyle
Checkstyle is a tool for analyzing coding style and conventions. It’s not going to stop any rouge exceptions, but it will give feedback on how the code is put together. Checkstyle is useful to ensure java code is being written right. Here are some things Checkstyle will catch:
– Missing/improper Javadoc
– Whitespace
– Placement of braces and parentheses
– Line length
– Naming conventions
Checkstyle is most different from PMD and FindBugs. While it has checked for things like empty catch blocks and .equals() vs ‘==’, the main focus of the project is ensuring the coding style adheres to a set of conventions.
Here’s a small snippet of check style being run on Apache Tomcat’s source. Unfortunately, the project does not come with any XSLT renderers. However, the output can be directed into an XML file and a custom renderer could be made.
Final Thoughts
Arguably, PMD, FindBugs, and Checkstyle are the most popular open-source Java code analyzers out there today. There is a good amount of overlap between them, but each provides a unique service. The ideal static code analyzer would combine PMD, FindBugs, and Checkstyle, so all aspects of coding practice could be covered.
One open-source project bears mentioning – Sonar. Without any heavy experimenting, Sonar wraps PMD, FindBugs, and Checkstyle into one package, plus more. A big drawback to Sonar is that it requires a database and hosting on a web server. PMD, FindBugs, and Checkstyle can be downloaded and running on source code in less than five minutes.
Regardless of what software package is used, running a static code analyzer is a great idea for java projects. Not only do they enforce project-wide coding standards, but they help prevent buggy code from reaching a critical environment. Best of all, some of the best java source code analyzers are open source.