Java Static Detection Tool/java code specification and quality check Brief introduction

Static check:

Static tests include code checking, static structure analysis, code quality metrics, and so on. It can be done manually, give full play to people's logical thinking advantages, can also be automated with the help of software tools. Code Inspection Code inspection including code walk, desktop inspection, code review, etc., mainly check the consistency of code and design, code to the standards of compliance, readability, the correctness of the logical expression of the code, the rationality of the code structure, etc. can be found in violation of the program writing standards, the program is unsafe, ambiguous and vague parts, Find out the non-portable part of the program, violate the programming style of the problem, including variable check, naming and type review, Program logic Review, program grammar check and program structure check and so on. ”。 Looking at a series of static code scanning or static code analysis tools, summed up the view of the tool: Static code scanning Tool, and the compiler some functions are actually very similar, they also need lexical analysis, grammar analysis, semantic analysis ... But unlike compilers, they can customize a variety of complex rules to analyze the code.

Static Detection tools:

Pmd

• 1) PMD is a code-checking tool that analyzes Java source code to identify potential problems:
  • 1) Potential bug: Empty Try/catch/finally/switch statement
  • 2) Unused code: Unused local variables, parameters, private methods, etc.
  • 3) Optional Code: Abuse of String/stringbuffer
  • 4) Complex expression: an If statement that is not required, a for loop that can be completed using the while loop
  • 5) Duplicate code: Copy/Paste code means copy/paste bugs
• 2) PMD Features:
  • 1) Unlike other analysis tools, PMD learns about code errors through static analysis. In other words, an error is reported without running a Java program.
  • 2) PMD comes with many rules that can be used directly, using these rules to identify many problems with Java source programs
  • 3) Users can also define their own rules to check whether the Java code conforms to certain coding specifications.
• 3) At the same time, PMD has been associated with JDeveloper, Eclipse, JEdit, JBuilder, BlueJ, Codeguide, NetBeans, Sun javastudio enterprise/creator, IntelliJ Idea, TextPad, Maven, Ant, Gel, JCreator, and Emacs are all integrated together.
• 4) PMD rules can be customized: The available rules are not limited to built-in rules. You can add a new rule: You can write the Java code and recompile the PDM, or, more simply, write an XPath expression that will be processed for each Java class's abstract syntax tree.
• 5) using only the PDM built-in rules, PMD can also find some real problems in your code. Some problems may be small, but some may be very large. PMD cannot find every bug, you still need to do unit tests and receive tests, and even PMD cannot replace a good debugger when looking for known bugs.
• However, PMD can really help you find the unknown problem.

Findbugs

• 1) findbugs is an open source static code analysis tool that is based on the LGPL Open source protocol, which allows you to analyze your code without running. Not focusing on style and format, focusing on detecting real bugs and potential performance issues, paying particular attention to the possible suppression of false detection (false positives). The object is checked with bytecode (*.class, *.jar). In addition to individual actions, it can also be used as an Eclipse plug-in and embedded Ant as one of the task's exploits.
• 2) findbugs Self-band Detector Introduction: FindBugs with more than 60 kinds of bad practice,80 correntness,1 species internationalization,12 species malicious code vulnerability,27 species multithreaded correntness,23 species performance,43 species dodgy.
• 3) Some features of findbugs:
  • 1) FindBugs is primarily looking for flaws in the code, which is somewhat different from other similar tools, directly manipulating class files (classes) rather than source code.
  • 2) FindBugs can be run from the command line, various build tools (such as ant, Maven, etc.), a standalone swing GUI, or in the way of the eclipse and NetBeans IDE plugins.
  • 3) The FindBugs output can be either XML or text.
  • 4) Developers can use findbugs in a variety of ways, most often in code analysis of newly written modules and a wider range of analysis of existing code.
  • 5) do not pay attention to style and format, pay attention to the detection of real bugs and potential performance problems, especially attention to the possible suppression of false detection (false positives) occur.
• 4) FindBugs can detect the bug pattern example: Detection Java programing easy to get caught in the bug pattern,equals () implementation of the general Protocol violates the reference to null pointer, Check omission of the return value of method, pre-initialization field access, Multi-thread correctness, inconsistency of concurrent processing, unconditional wait (), code vulnerability, static object that can be changed, return of internal sequence reference, etc.

Checkstyle

• 1) Definition: Checkstyle is a tool for checking Java program source code styles.
• 2) Features:
  • 1) It can effectively help us to review the code to better follow the code writing standards, especially for the team development of each other's style specification and unity.
  • 2) Checkstyle provides high levels of configuration to suit a variety of code specifications, so you can customize your own standards in addition to the few common criteria it provides.
  • 3) Checkstyle provides plug-ins that support most common Ides, and most plugins contain the latest checkstyle, so you don't have to worry about deploying one.
  • 4) Checkstyle can check many aspects of the code, from the traditional point of view, it is mainly used to check the code level, since the third version of its internal architecture has made a major change, many other intent of the detection added, now checkstyle can check the design of the problem like class, duplicate code, A bug pattern such as double check for locks.
• 3) The main process of Checkstyle is:
  • 1) Lexical parsing of Java files and generation of syntax trees.
  • 2) Load configuration file (Checkstyle-metadata.xml and custom configuration file) Register check event.
  • 3) Parse the syntax tree according to the depth-first traversal, and perform a style check (Ast,a child-sibling tree, which is a node in the syntax tree, defined in the Tokentypes Class), according to registered events, when it arrives at certain nodes (AST). ）
  • 4) What we call a custom style check is set in the second step. This involves a class called Com.puppycrawl.tools.checkstyle.api.Check, which we typically need to overload two of these functions: public int[] Getdefaulttokens () and public void Visittoken (Detailast ast). The meaning of these two functions is that, in the process of traversing the syntax tree, each time it arrives at the AST type returned by the Getdefaulttokens function, the program enters Visittoken for specific inspection and analysis, that is, the real analysis check process is implemented in Visittoken.

Hammurapi

• 1) Definition: HAMMURAPI It is an open source code review/Review (review) tool. It can help improve the quality of your Java code. It can analyze code base based on a set of design specifications. When it encounters a violation of the specification, it is identified in the report. Like Checkstyle, it integrates seamlessly with Ant and is driven by an XML-based configuration file.
• 2) Features:
  • 1) HAMMURAPI is used to enforce code design specifications.
  • 2) Hammurapi is a design-following tool that provides an automated and consistent way to implement design specifications, making code reviews more efficient and easy.
  • 3) How HAMMURAPI works: Hammurapi Such code analysis tools have a language parser. A language parser is a tool for inputting language code and outputting an abstract syntax tree. The node on this tree represents the language identifier. For example, consider a simple arithmetic expression: 3+4. The language analyzer parses him into a syntax tree shown in 5. In this tree, the node + represents the operator identifier. Nodes 3 and 4 are operands identified HAMMURAPI using ANTLR (another language recognition tool) as a language analyzer. However, the ANTLR API is fairly low-level. To improve usability, Hammurapi uses another API, based on the ANTLR Jsel (Java source program Engineering Library), to access the abstract syntax tree. Once the tree is built, a tree traversal algorithm is used to access each node in the tree. Each time a node is accessed, a callback mechanism (visitor mode) is used to prompt the appropriate inspector. In these callback methods, the inspector collects relevant information to determine if there is a violation of the specification.

Lint4j

• 1) Definition: lint4j is a Java-based source code analysis tool that can perform static analysis of Java source code and bytecode to determine if there is a deadlock, performance problem, or scalability problem. It can be integrated into any IDE type or build system
• 2) Features:
  • 1) Detection code syntax rules
  • 2) Potential bugs
  • 3) The effect of code mode on the readability and size of codes
  • 4) Detect violation of EJB specification

Sonar

• 1) Definition: Code Quality management tool sonar provides design and architecture metrics. Sonar 2.0 introduces design analysis, architecture, and object-oriented metrics for Java applications, and sonar 2.1 detects unused methods and calls to methods that are not recommended for use. is a perfect code quality checker that integrates checkstyle,pmd,findbugs code validation rules, repetitive code discovery, code test coverage, code comment rate, and all detection rate change tracking. It contains seven aspects of code quality detection
• 2) Features:
  • 1) Code overlay: Through unit tests, you will see which line of code is selected.
  • 2) Improve coding rules.
  • 3) Search Coding rules: Search by name, plugin, activation level and category.
  • 4) Project Search: According to the name of the project query.
  • 5) Compare data: Compare the trend of any measurement in the same table.
  • 6) Unit Test
• 3) Sonar2.1:
  • Sonar also introduced a new rule engine based on squid, the sonar parser can handle both the source code and the bytecode, the parser with built-in rules to detect unused private and protection methods, and the client's calls to methods that are not recommended for use. Squid determines which methods, classes, and attributes are not recommended by analyzing the bytecode of the source code, Java API, and external library.
• New features of Sonar 2.1:
  • 1) A new "Libraries" page that shows all of the libraries and dependencies in the project, which requires MAVEN to build the project. Once a project is selected on the home page of the sonar site, the service displays project dependencies in a visual tree structure. In addition, there is an optional dynamic filter that allows you to filter the library by name to navigate between apps ' dependencies.
  • 2) "Dependencies" page used to search for library usage. For example, you can search for all projects that use a third-party framework such as Commons Logging 1.1.
  • 3) You can extend sonar functionality with a variety of plugins. Now there is a new "system Info" page that shows the systems properties, installed plug-ins, and Java Virtual Machine memory statistics. This page also provides detailed information about sonar configuration and database statistics.
  • 4) A management console for managing installed plug-ins and system information. The latest version of Sonar introduces a test framework and a customized MAVEN life cycle management tool for these plugins. It also comes with a Web service for integrating project events and adds a new measurement module to the project's size widget.

JDepend

• 1) jdepend an open source, an excellent tool that can be used to evaluate the quality of Java programs, traversing the Java class file directory, in the Java package, for each package/class to automatically generate package dependencies, stability, reliability and other evaluation reports, According to these reports, we can obtain the dependency between the package or class, and analyze the stability of the package, the degree of abstraction, whether there is cyclic dependency resistance, etc. According to the report data given by Jdepend, we can analyze whether our package is reliable, stable and robust, and whether it conforms to the object-oriented design principle.
• 2) Features:
  • 1) Evaluate design quality
  • 2) Flip Dependency
  • 3) Support concurrent development and extreme programming
  • 4) stand-alone release module
  • 5) Identification of the package's cyclic dependencies
• 3) The quality evaluation report of Java package generated by depend mainly includes:
  • 1) Number of Classes and Interfaces: How many classes and abstract interfaces are implemented
  • 2) abstractness (A): The abstraction of the package. Refers to an abstract class or interface contained within a package that occupies the weight of the class in the entire package.
  • 3) afferent couplings (Ca): centripetal coupling. The number of external packages (classes) that depend on the package (the contained classes) (i.e. incoming dependencies), the larger the value, the greater the responsibility of the package, and the more stable it is.
  • 4) efferent couplings (Ce): centrifugal coupling. The number of external packages that are dependent on the package (i.e. outgoing dependencies), the larger the value, the more unstable the package is, because it relies on other packages.
  • 5) Instability (I): Measure the degree of instability of a package. i=ce/(CE+CA). Its value is between [0,1]. I=0 when the package is the most stable, and vice versa I=1 that the package is very unstable.
  • 6) Distance from the main Sequence (D): This indicator is mainly used to evaluate the level of abstraction and stability of the package, which can be represented by a two-dimensional straight line graph A + I =.
  • 7) Package Dependency Cycles: The packet's cyclic dependency.

IBM Checking Tool for Bugs Errors and mistakes (abbreviated beam)

• 1) Definition: A static analysis tool developed by IBM that can be used to analyze and find out some of the potential errors in C, C + + and Java code that are not easily found, thus improving the quality of the code. It has some valuable features compared to dynamic analysis tools and other static analysis tools.
• 2) Features:
  • 1) The code is scanned by syntax, and the code is examined and analyzed by the algorithm
  • 2) compare with some bug patterns, and finally indicate the problem area, output the analysis results
  • 3) An additional theorem proving (theorem proving) technique is used to determine if a potential error is a real error, thus reducing the amount of work required by the programmer to determine the authenticity of the error.

LDRA Testbed

• 1) Definition: LDRA testbed provides powerful source code testing and analysis capabilities for application validation and validation, and is a unique quality control tool. It helps to improve the reliability, robustness and zero defect of computer software, and its use brings real savings in time, cost, and efficiency, which cannot be measured. It is a powerful and complete integrated toolkit that enables advanced software analysis technology to be applied at critical stages of the development lifecycle.
• 2) LDRA testbed provides powerful analysis capabilities for two major test areas, static analysis and dynamic analysis.
  • 1) Static Analysis: Parses the code and provides an understanding of the structure of the code.
  • 2) Dynamic Analysis: Using the source code of the plug-in version, the use of test data execution, at run time to discover software defects
• 3) Benefits of using Ldra testbed the cost-efficiency Analysis tool Unit, integration and system testing tools for software development and testing processes throughout the software development lifecycle Ldra testbed application in many different areas process improvement software test software Maintenance
• Advantages of LDRA testbed:
  • Improve software Quality
  • Locating software defects
  • Enforcement of industrial standards
  • Reduce maintenance costs by more than 40%
  • Reduce development and testing costs by more than 75%
  • Improve employee motivation through automated processes

Yasca

• 1) Definition: Yasca is an open source static code analysis tool plug-in framework, integrated popular multi-language static analysis tools such as Findbugs/pmd/jlint/rats/cppcheck, because the plug-in itself is diverse so can support the Java C + + language static analysis. Yasca is a software that is used to look for security vulnerabilities and to detect code quality, performance, and consistency in the program's source code. It integrates other open source projects, including FindBugs PMD, Jlint, Cppcheck, and scans certain file types, as well as custom scan written Yasca which is a command line tool, with reports generated in HTML, CSV format, Xml,sqlite, and other formats.

Reference:

http://tianya23.blog.51cto.com/1081650/415146 (the above content is transferred from this article)

Java Static Detection Tool/java code specification and Quality check Brief introduction (GO)