Static Code Analysis

Definition

From Wikipedia:

Static program analysis is the analysis of computer software that is performed without actually executing programs

SonarQube

SonarQube: http://www.sonarqube.org/

Why Static Code Analysis

• Help identify bugs early
• Eliminate code duplication
• Maintain Code Formatting within teams
• Test Coverage Metrics

             PMD

• Empty statements - try/catch and/or if/else blocks

• Unused variables

• Duplicated code

• All the above is achieved through RuleSets.

• XPath based PMD Rulesets: http://pmd.sourceforge.net/pmd-4.3.0/rules/index.html

FindBugs

• Overlaps with PMD but requires compiled code

• Checks for equals() and clone() method

• Unsafe casting

• Consumes a lot of memory

Checkstyle

• Concentrates more on code formatting

• Examines code comments

• Checks for unused imports

• Can also check for whitespace in code

• Uses code style rules recommended by Sun and Google

What to use?

• Use everything 
• Combine PMD + FindBugs to identify potential bugs
• Use Checkstyle for code formatting

SonarQube

SonarQube (formerly Sonar[1]) is an open source platform for continuous inspection of code quality.

Build Plugins available for:

• Maven
• Gradle
• Jenkins

Sonar Plugins

• PMD  - Source Code Analyzer
• FindBugs - Bytecode source anaylzer 
• Checkstyle - Enforce Coding Standards
• Sonar Way - SonarQube implementation of the above

What about testing?

Sonar uses the test reports generated from your builds to determine how much code coverage is available. Sonar can parse Surefire, JaCoCo, Clover test reports amongst others.

Static Analysis for

• Plugin available for JS
• Fully supports EMCAScript 6
• Code Coverage from JS testing tools: Karma, Istanbul

SonarQube Dashboard

http://sonar.hyattdev.com

SonarQube IDE Plugins

• Eclipse/STS
• IntelliJ IDEA
• Webstorm

What's Next?

• A Unified Coding standard
• How much code coverage we need
• Make Sonar part of our build process
• Static Analysis for JS?