Does this sound familiar to you?
At this stage - you don't perform code review at all / peer review is performed without using any tools. That means, you write the code and try to trust on knowledge of own/peer/team lead to ensure quality accredited standards. Well, this can never produce consistent outcome. So now you are looking for better option or you got hints that you should use the tool to let you tell that what are problems in the code and may be how to fix/improve...
What is static code analyzer tool?
- The tool which can scrutinize the code artifacts (without executing program) for given purpose such as review for
- coding conventions,
- coding standards,
- potential bugs,
- performance issues,
- security flaws,
- concurrency issues,
- cyclic dependencies...
- Ideally, such tools would find the common problems in the code with a high degree of confidence that what is found is indeed a flaw. On top of that few tools would recommend the solutions too for the identified problems/flaws.
- Most of Java code analyzer tools are designed to work by integrating into Eclipse IDE (as it is used widely), so the immediate feedback can be provided to the java developer during the development cycle itself.
Few parameters to consider for the scoping of code analyzer tools
All tool cannot fit in your project environment. So first of all you need to check features of selected tools against the parameters applicable to your project need. Then you should proceed to setup tool and try practically for envisioned benefits. You can consider some of below parameters for the scoping of code analyzer tools for the project.
- Purpose -
- Want to ensure overall code quality management?
- Need to audit code for specific area such as security, performance, multi-threading?
- Supported platform / language / developer's IDE -
- Windows, Linux, other?
- Java, .NET, other?
- Does it only support Eclipse IDE or other also? Can it run in standalone mode?
- Supported type of artifacts -
- Does it work with source code?
- Can it run against binaries (class files) instead of source?
- Can it work with build files (jar, war, ear)?
- Ease of setup / Learning curve -
- Is it easy to setup or does it require complex manual configuration?
- Can new user learn and use tool easily or is there a need of specialized training?
- License cost -
- Free or Open Source?
- Commercial (are sold as perceptual, floating, per user, per application, per organization...)?
My Favorite Tools for Java
Below are some of my favorite static code analyzer tools and each of those I would cover in separate post.
Tools
|
When to use?
|
Checkstyle, PMD , FindBugs (all are free) --- Click to read my post on "Checkstyle, PMD, FindBugs - Are those alternatives or not?"
|
|
Codepro Analytix (free) ---- Clickto read my post on "Why Codepro Analytix is premium eclipse plugin forjava developers?"
|
|
SonarQube (free + commercial) --- Clickto read my post on "Is SonarQube for developer or manager orarchitect?"
|
|
JArchitect (commercial) --- Click to read my post on "Why is JArchitect distinctive static code analysis tool for Java?"
|
|
Find Security Bugs (free),
|
|
EclEmma (free), eCobertura (free)
|
|
Below are some of interesting code analyzer tools. In past I evaluated basic features of those, and hence I would not aim to cover in separate post for now. I recommend to try any of those based on my initial knowledge, if you get opportunity.
- Architecture and quality management solutions/tools, which helps to understand and improve the structure of very large and complex software systems
- Stan4j (commercial)
- Lattix for Java (commercial)
- Structure101 (commercial)
- hello2morrow products (commercial)
- Sonatype CLM (Commercial) - for component lifecycle management
- Code coverage tools
- Crap4j (free) - Java implementation of the CRAP (Change Risk Analysis and Predictions) software metric, which combines cyclomatic complexity and code coverage from junit tests. Integrated with Eclipse and Ant.
- Emma (free) - Supported coverage types are class, method, line, basic block. Can execute via Command line and Ant.
- Covertura (free) - Supports both line and branch coverage. Can execute via Command line, Ant and Maven.
- Clover (commercial) - Apart from Java, supports Groovy too. Integrates with known IDEs, Build and CI tools.
- Miscellaneous
- Contemplate ThreadSafe (commercial) - java code audit tool for multi-threaded application, which helps to improve developers’ ability to detect data race errors, dead-locks and concurrency problems in Java source code.
- CheckThread (free) - java static code analysis tool for multi-threaded application, which helps to catch Java concurrency bugs at compile time.
- Checker Framework (free) - a pluggable java type checking tool that warns about certain errors or gives a guarantee that those errors do not occur such as null pointer exceptions, unintended side effects, SQL injections, concurrency errors, mistaken equality tests, and other run-time errors that appear during testing or in the field. Checker Eclipse plugin is also available.
- Class Dependency Analyzer (free) - a tool for dependency analysis among classes.
- BundleMaker (free) - an Eclipse plugin for Dependency Structure Matrix.
- CodeAnalyzer (free) - produces a software source file metrics includes ratio of total lines vs. code lines vs. comments vs. white spaces; and supports html, java, c, c++ file extensions.
Updates History
- 28/Dec/2014 - Added JArchitect in my favorite tools section.
I don't aim to exploit code of any open source project or sample application, while I share my evaluation feedback of given tool on selected publicly available code. Also I am not biased to particular free or commercial tools, rather my objective is about sharing my own experience on set of tools.
Also Refer
Completely agree. This blog nicely explain all aspects of code analysis and static code analysis benefits. Thanks for sharing informative blog.
ReplyDelete