What is static program analysis?
Static analysis provides testing against code bases and binaries without the execution of any code. IDEs do this too by highlighting areas of code they do not like. Ensuring code quality and identifying issues without running the code can save a huge amount of time for your team; we recommend using CheckStyle, PMD and Findbugs in conjunction to achieve full coverage.
What do the plugins do and why should I use all three?
CheckStyle ensures “programmers write Java code that adheres to a coding standard” in Java. Using it will allow you to define and enforce good coding practices for a project.
PMD is a cross-language tool that “finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth”.
Using FindBugs allows teams to “inspect Java bytecode for occurrences of bug patterns”. Identifying and flagging unused private methods, potential null occurrences and other key issues becomes trivial.
Integrating static analysis into Maven
Maven provides plugins for all three tools which can be nested in the pom.xml of a Maven project. Configurations for the plugins can be adapted to suit the team’s needs and can be further adapted via rule-sets.
The plugin definition is clean and simple to read. In this case, the configuration section says that a violation will fail the build and to include test directories in the static analysis. Defining the plugin’s phase of execution and goal is possible in the ‘executions’ section. We’ll take a look into phases in the next section.
The setup for each of the tools are generally very similar with naming conversions that might differ slightly from one to another. All possible Maven configurations and executions are documented for each of the plugins and can be found by following these links: CheckStyle, PMD, FindBugs. The full plugin setup will look something like this:
Static analysis and the Maven Lifecycle
The Maven Lifecycle is the order in which tasks execute when building a Maven project. The sub-sections of each phase (light blue in the image) show the underlying actions in a certain phase.
The tools provide different functionality and can require different aspects of the code they are running against. FindBugs runs against binaries requiring the compiled source code whereas PMD and CheckStyle do not. This means that the latter two can operate at earlier sections of the cycle while FindBugs must operate after the compile phase.
Optimising static analysis in the Lifecycle
Choosing where to execute static analysis tests will depend on how the team wants to implement them. For instance, at IDRsolutions we currently execute PMD and CheckStyle during the validate phase. This allows the build process to highlight any violations and fail the build prior to the compile phase. We can then easily know if our new code conforms to our rule-sets without going through the entire cycle.
It is best to know exactly what your team requires and plan the Lifecycle accordingly in order to get the fastest feedback. For some teams, this will be quick feedback on structure, for others it might be quick feedback on compilation and ensuring FindBugs rules are followed.
If build speed is a key factor, the maven-buildtime-extension plugin will display how long certain parts of the Lifecycle take in your build. This is useful for seeing how changes affect build time.
How does your team implement static analysis? Let us know and we might adapt your configuration ideas!