java code quality tools
TRANSCRIPT
Code Quality ToolsPowered by
Infaum Educational TechnologyAnju ML
Code Quality Tools
Here we are discussing about two important code quality tools. SonarQube FindBugs
SonarQube
NOTE: Sonar Logo is taken from its official site
SonarQube• Sonar is an open source platform for continuous
inspection of code quality. • Static code Analysis- Java.• It is developed with a main objective in mind: make
code quality management accessible to everyone with minimal effort.
• Sonar provides code analyzers, reporting tools, defects hunting modules and TimeMachine as core functionality.
Sonar- All in one….
NOTE: DRY—Don't Repeat YourselfDon't Repeat Yourself is a programming principle aimed at reducing repetition of code.
NOTE: Above image is taken from its official site
Design and architecture—minimize dependencies
Duplications—isolates and refines duplications, Don't Repeat Yourself
Unit tests—writes unit tests, especially for complex parts of the software
Complexity—equalizes disproportionate distributed complexity among components; eliminates complexity if possible
Potential bugs—eliminate code violations to prevent vulnerabilities
Coding standards—respect coding standards and follow best practices
Documentation and comments—provide documentation especially for the Public API, the source code
How does Sonar work?
Sonar is made of simple and flexible architecture that consists of three components:
A set of source code analyzers analyzers that are grouped in a maven plugin and are triggered on demand. The analyzers use configuration which is stored in the database.
A database to not only store the results of analysis, projects and global configuration but also to keep historical analysis for Time Machine
A web reporting tool is used to display code quality dashboards on projects, hunt for defects, and check TimeMachine and to configure analysis.
What Sonar provides?• Quality profiles• Dashboards
o A consolidated view that shows all projectso Project dashboard is also available at modules and
packages level• Hunting Tools• TimeMachine
o TimeMachine is used to watch the evolution, replay the past, especially as it records versions of the project.
FindBugs
NOTE: FindBugs Logo is taken from its official site
FindBugs
• FindBugs is a program to find bugs in Java programs.• FindBugs is platform independent, and is known to run
on GNU/Linux, Windows, and MacOS X platforms.• It uses static analysis on java code.– Static analysis is a way to inspect code without executing the
program.• Works on byte code rather than source code.
• This tool inspects Java byte code which is saved in the form of complied class files, to detect occurrences of bug patterns.
Bug patterns• Bug patterns are checklist items for possible
problems in the Java source.
• Malicious code vulnerability – code that can be maliciously altered by other code.
• Dodgy – code that can lead to errors.• Bad practice – code that violates the recommended
coding practices.• Correctness – code that might give different results
than the developer intended.• Internationalization – code that can inhibit the use of
international characters.
The patterns are categorized by the list below:
• Performance – code that could be written differently to improve performance.
• Security – code that can cause possible security problems.
• Multithreaded correctness – code that could cause problems in multi-threaded environment.
• Experimental – code that could miss clean up of steams, database objects, or other objects that require cleanup operation.
FindBugs Results
Warning reported by FindBugs are categorized into:
• Relevant positive – a bug that the developers must fix or should fix.
• Irrelevant positive –a bug but it is irrelevant to the program and does not need to be fixed.
• False positive – Not a bug.
• My conclusion from this is that using FindBugs is definitely worthwhile. I plan to roll it out to all my Java projects and integrate it into the automated builds so that the FindBugs results are also available from the continuous integration server.