Introduction to SpotBugs: Static Code Analysis Tool

Developers desperately need someone to review their code. This is especially true for novice developers. But sometimes checking someone else's code takes a lot of time, and it's boring. However, this aspect of development cannot be ignored, because it directly affects the quality of the product, and the quality of you as a developer in general. Therefore, code review is a mandatory part of development. To facilitate this task, various tools for static code analysis are used . We will talk about one of them today. Let's clarify one point first. We already have a Java compiler that checks the code, so how is it different from static analysis? Static Analysischecks Java bytecode (compiled files with a .class extension) for template errors, while the Java compileronly checks the source code for syntax errors. Such tools help to find bad solutions, unused code, inefficient solutions, possible errors, etc. They make life easier for code reviewers and allow them to catch what they may miss or not take into account when checking. If you are completely new and have not yet worked for a company on a project, these tools will be especially useful to you, as they will highlight the shortcomings of your code, and you will subconsciously remember them so as not to repeat them in the future. Well, later you yourself can become a cool reviewer, because you will instantly notice all the shortcomings of the code. Today we will conduct a short review of the SpotBugs static analyzer . SpotBugsis a tool that allows you to examine the code to find possible problems. It performs static analysis by looking through the code to find certain anti-patterns that may be causing problems (such as poor performance). A tool that performs these checks automatically on every change will save the code from progressive degradation. If this process is not set up, invisibly to everyone, at some point it may become too late, because the code will contain hundreds of warnings. This tool is called the successor (heir) of the well-known static analyzer FindBugs . SpotBugs can be integrated with:

• Ant
• Maven
• gradle
• Eclipse

It is also possible to use it by downloading and installing a binary distribution . We will use the connection via Maven . Add to Maven:

<plugin>
  <groupId>com.github.spotbugs</groupId>
  <artifactId>spotbugs-maven-plugin</artifactId>
  <version>4.2.2</version>
  <dependencies>
     <dependency>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs</artifactId>
        <version>4.2.0</version>
     </dependency>
  </dependencies>
</plugin>

Also in the plugins section add:

<plugin>
  <artifactId>maven-project-info-reports-plugin</artifactId>
  <version>2.8</version>
</plugin>

Basic SpotBugs Commands

Well, now let's look at the main commands for SpotBugs, called either through the Maven console: (to call the console, you need to press the m icon ), Or through the idea terminal:

1. mvn spotbugs:help

Displays help information for the SpotBugs command line user interface . Call result example: As we can see, if you run the command: mvn spotbugs:help -Ddetail=true -Dgoal=<goal-name>, you can learn more about the target settings. Or run: mvn spotbugs:help -Ddetail=true and learn more about all four targets. For example, I ran mvn spotbugs:help -Ddetail=true -Dgoal=help and got the following description:

2. mvn spotbugs:check

This command starts the analysis and reports a failed build if it finds any bugs from the spotbugs spectrum . An example of the result of running the command: Here we see how spotbugs swears at all the found flaws in the application (on the found bad code).

3. mvn spotbugs:spotbugs

This command analyzes the target project using SpotBugs. Without running this command, the command to display the results will actually be useless, because. it does the analysis itself. After running this command, the spotbugsXml.xml file is created , in which the analysis results are stored for further display. It should also be noted that running the mvn spotbugs:spotbugs command by itself will not give anything: first you need to run the standard command for compiling the project mvn clean compile , and only after it - the command for analyzing the project. The previous command, mvn spotbugs:check , also parses and creates the spotbugsXml.xml file , but unlike mvn spotbugs:spotbugsit also shows the result of the analysis on the bottom panel. To analyze in this way, you also first need to run mvn clean compile , and only then - mvn spotbugs:check .

4. mvn spotbugs:gui

This command is perhaps the most interesting: it launches the SpotBugs GUI to check the results of the analysis, in which you can see in detail what flaws are in your code and where they are located. But, as I mentioned above, for the correct processing of this command, the spotbugsXml.xml file is needed in the target folder , which is created after the manipulations described above. When running this command, we get the following graphical display: Here you can set up filtering by class name, group by category of bad code, and so on. Possible flaws are divided into types, which in turn are divided into specific detailed error patterns (400+).

Error types

Let's take a closer look at the possible types of errors:

• bad practices

  Violations of recommended coding practice.

• Correctness

  An alleged code error that causes the code to not match the developer's intent. Helps to achieve a low level of false positives.

• Experimental

  This archetype describes experimental and not fully tested error patterns (reports with this type of error should be trusted with great care).

• internationalization

  The type describes code flaws related to internationalization and localization.

• Malicious code vulnerability

  This type indicates that your code is vulnerable to attacks from untrusted code.

• multithreaded correctness

  The type describes code flaws related to threads, locks.

• Bogus random noise

  This type is intended to be used as a control in data mining experiments, not to find real software bugs.

• Performance

  The archetype says that your code is not necessarily wrong, but it may be inefficient and needs some optimization.

• security

  You are probably using untrusted input functionality that may have vulnerabilities, security holes that can be used remotely.

• Dodgy code

  This type includes code that is misleading, anomalous, or written in a way that causes errors.

You can find a full detailed description of the errors in this documentation .

Filter files

SpotBugs uses filters to catch "bad code" patterns . Essentially, a filter matches error instances by a set of criteria. Actually, you can make your own variations of bad code patterns that SpotBugs needs to catch (create custom filter files). Also, using these filter files, you can specify errors that need to be excluded during verification. Perhaps something in your project will be considered a good solution, which is fixed in the analyzer by default as a bad practice. The filter file is an XML document with a top-level FindBugsFilter element that has a number of Match child elements . Each Match elementis a predicate that is applied to the generated error instances. You can read more about creating a filter file in this documentation .