On Fri, Jan 3, 2014 at 8:22 AM, Masood wrote: Dear Team, We are using Sonar 4.0 for many projects. But in order to showcase its advantage to one of our group over HP Fortify Tool, I need some expert comments for it. Can anybody give me some major advantage of SonarQube 4.0 over HP Fortify Tool.

(I have never use HP Fortify Tool, so finding difficult to showcase SonarQube feature over HP Fortify Tool. Although, I know there is a Fortify Plugin in SonarQube.) Any information will be helpful.

With Regards, Masood -- View this message in context: Sent from the SonarQube Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe from this list, please visit. Hello, I don't know Fortify, especially that I believe there are different Fortify products, but I understand this is a tool to detect security vulnerabilities. SonarQube is oriented toward maintainability, so not really the same game.

Sonar has been developed with a main objective in mind: make code quality management accessible to everyone with minimal effort. As such, Sonar provides code analyzers, reporting tools, defects hunting modules and TimeMachine as core functionality. But it also embarks a plugin mechanism enabling the community to.

So I would suggest you ask first what are the objectives of the group supporting Fortify. Basically, there are 2 main objectives: costs and risks. Either you want to control costs (maintainability, technical debt), either you want to avoid bugs for the final users. A post on my blog about this subject: Then, you can ask how they want to use the tool, what are their use cases. Mainly, if you want to assess vulnerabilities, you do it with a Quality Gate. I don't believe that it would be possible or easy to integrate Fortify into a Continuous Integration/Inspection (CI) process as you do with SonarQube. Another post about this: CI means you can interface with a lot of different tools and I don't think Fortify will be superior to SonarQube in this domain.

Also, a tool in the Bug tracking/Security domains has to implement complex techniques in order detect these vulnerabilities (like dataflow for instance) and this means probably an higher percentage of false-positives. Ask about this percentage and if there is some validation phase to verify these false-positives, as it should be for a tool of this kind. As such a phase means some time and work, it is usually done during a Quality Gate, not a CI process. You could imagine SonarQube for CI/project team and Fortify for Quality Gate by security consultants during QA or before going into production, for instance.

Don't hesitate to ask for any precision. Jean-Pierre FAYOLLE www.qualilogy.com -----Original Message----- From: Masood [mailto:] Sent: viernes, 03 de enero de 2014 14:22 To: Subject: [sonar-user] SonarQube v/s HP Fortify Tool Dear Team, We are using Sonar 4.0 for many projects. But in order to showcase its advantage to one of our group over HP Fortify Tool, I need some expert comments for it. Can anybody give me some major advantage of SonarQube 4.0 over HP Fortify Tool.

(I have never use HP Fortify Tool, so finding difficult to showcase SonarQube feature over HP Fortify Tool. Although, I know there is a Fortify Plugin in SonarQube.) Any information will be helpful. With Regards, Masood -- View this message in context: ml Sent from the SonarQube Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe from this list, please visit: ----- Comprobado por AVG - www.avg.com Version: 2014.0.4259 / Base de datos de virus: 3658/6971 - Fecha de publicacion: 01/02/14 --------------------------------------------------------------------- To unsubscribe from this list, please visit. >Hello, >>I don't know Fortify, especially that I believe there are different Fortify >products, but I understand this is a tool to detect security >vulnerabilities. >SonarQube is oriented toward maintainability, so not really the same game. >>So I would suggest you ask first what are the objectives of the group >supporting Fortify.

Basically, there are 2 main objectives: costs and risks. >Either you want to control costs (maintainability, technical debt), either >you want to avoid bugs for the final users. >A post on my blog about this subject: >>>Then, you can ask how they want to use the tool, what are their use cases. >Mainly, if you want to assess vulnerabilities, you do it with a Quality >Gate. I don't believe that it would be possible or easy to integrate Fortify >into a Continuous Integration/Inspection (CI) process as you do with >SonarQube.

>Another post about this: >>CI means you can interface with a lot of different tools and I don't think >Fortify will be superior to SonarQube in this domain. >>Also, a tool in the Bug tracking/Security domains has to implement complex >techniques in order detect these vulnerabilities (like dataflow for >instance) and this means probably an higher percentage of false-positives. >Ask about this percentage and if there is some validation phase to verify >these false-positives, as it should be for a tool of this kind. As such a >phase means some time and work, it is usually done during a Quality Gate, >not a CI process. >>You could imagine SonarQube for CI/project team and Fortify for Quality Gate >by security consultants during QA or before going into production, for >instance. >>Don't hesitate to ask for any precision.

>>Jean-Pierre FAYOLLE >www.qualilogy.com >>-----Original Message----- >From: Masood [mailto:] >Sent: viernes, 03 de enero de 2014 14:22 >To: >Subject: [sonar-user] SonarQube v/s HP Fortify Tool >>Dear Team, >>>We are using Sonar 4.0 for many projects. >But in order to showcase its advantage to one of our group over HP Fortify >Tool, I need some expert comments for it. >>Can anybody give me some major advantage of SonarQube 4.0 over HP Fortify >Tool. >>(I have never use HP Fortify Tool, so finding difficult to showcase >SonarQube feature over HP Fortify Tool. >Although, I know there is a Fortify Plugin in SonarQube.) >>>Any information will be helpful. >>With Regards, >Masood >>>>-- >View this message in context: >>ml >Sent from the SonarQube Users mailing list archive at Nabble.com.

>>--------------------------------------------------------------------- >To unsubscribe from this list, please visit: >>>>>>>----- >>Comprobado por AVG - www.avg.com >Version: 2014.0.4259 / Base de datos de virus: 3658/6971 - Fecha de >publicacion: 01/02/14 >>>--------------------------------------------------------------------- >To unsubscribe from this list, please visit: >>>>--------------------------------------------------------------------- To unsubscribe from this list, please visit.

Contents • • • • • • • • • • • • • • • • • • • • • • Language [ ] Multi-language [ ] • - static code analysis tool for binaries and source code across 15 languages: Java/Scala, Javascript, C, C++, Objective-C, C#, PHP, T-SQL/PL/SQL, Python, Visual Basic, Ruby, Swift, ABAP, Delphi, HTML 5, Solidity. Decompiles binaries and reconstructs vulnerable source code. Jenkins and Jira out of the box integration for continuous development process. • – A static code analysis tool suite for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, checking, and clone detection.

• CAST Application Intelligence Platform by – Detailed, audience-specific dashboards to measure quality and productivity. Cross-tier, cross-technology analysis of 50+ languages, C, C++, Java,.NET, Oracle,, SAP, Siebel, Spring, Struts, Hibernate and all major databases. • Checkmarx Static Code Analyser - Identifies vulnerabilities in over 20 languages including C, C#, Apex, Scala, Swift, Python, Ruby,.NET, PHP, Java and Javascript. Integrates with jenkins and other build servers and IDEs like visualStudion and IntelliJ to enable continuous integration. • SecureAssist - A lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding. Supports Java,.NET, and PHP.

• - Static code analyzer with code slicing. Supports COBOL, HL ASM, Java, SQL, IMS, CICS. Provides component connectivity, code metrics, clone detection, style checking, and data lineage.

• - Software application vulnerability correlation and management system that consolidates and normalizes software vulnerabilities detected by multiple application security testing (SAST) and application security testing (DAST) tools, as well as the results of manual code reviews. Supports C, C++, C#, Java, JavaScript, JSP, PHP, Python, Rails, Ruby, Scala, VB.NET and XML/XSL.

• Topaz for Program Analysis – A static code analysis for PL/I and COBOL. Produces visual displays of structure charts and logic/data flow and shows dependencies across programs. • – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages. • – A static analysis tool for C, C++, C#, Objective-C, Java, Javascript, node.JS, Ruby, PHP, & Python. • DefenseCode ThunderScan – A static source code security analysis tool for C#, Java, PHP, VB.Net, JavaScript, Objective-C, PL/SQL, ASP Classic and Visual Basic.

• HP Static Code Analyzer – Helps developers identify software security vulnerabilities in C, C++, Java, JSP,.NET, ASP.NET, classic (ASP), ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C, ABAP and COBOL and configuration files. • CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, Objective-C, and Java source code. • (formerly known as IBM Rational AppScan) Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C, C++,.NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL • – A tool for Java C, C++, and Objective-C.

Targets null pointer problems, leaks, concurrency issues and API usage for Facebook's mobile apps. Available as open source on github. • - Software Composition Analysis (SCA) product used to discover Open Source and Commercial dependencies in a software project. Discovers known vulnerabilities (CVEs, etc.) and Open Source license compliance issues • – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.

• – Software Analytics end-to-end platform for static code analysis and automated code review. It covers defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. Support for over 20 languages, including,,,,,,,,,,,,,,,,. • – Provides security vulnerability, standards compliance (, and others), defect detection and build-over-build trend analysis for C, C++, C# and Java.

• - Kuscos is a software intelligence platform that provides a range of analysis tools and reports and delivers key information regarding source code modules and team members. Supported languages are,,,, VB,,,, and. • – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments). • – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries. • - A static code analysis tool based on automatic code reviews that can detect and repair errors and weaknesses in custom developed code. • – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software.

It can evolve to a more generic data analysis platform. Supported languages are C, C++, Java, Smalltalk,.NET, more may be added. • – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java,.NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with,, and. • – detection for (e.g.),,,,, and code. • – Uses to detect and prove the absence of certain in for C, C++, and Ada • - A language-specific tool that features language-specific analysis reporting in addition to language-specific and algorithms. • – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations.

Can also detect security vulnerabilities. • – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions), C#. • - Scans source code and binaries in the cloud to identify security flaws. It also scans server configuration files for security flaws. Languages included, GoLang, Python, Perl, PHP, C/C++, Javascript, Java, C# and it will also look for backdoors in software. Has found flaws in mod security and Apache.

• OpenLogic – Scans source code and binaries to identify open source code and licenses, manages open source policies and approvals, reports security vulnerabilities, and provides open source technical support. • – Supports C, C++, C#, Java, JavaScript, Objective-C, Python and Scala. • – Static code analysis based automated code review tool for Ruby, Python, PHP, JavaScript, CoffeeScript and Go.

Checks style, quality, dependencies, security and bugs. • – Provides design quality and technical health solutions for software code • SnappyTick (SAST) - Snappy Tick is Static application security tool, It help to identify the Vulnerability in Source code, supports widely used languages for desktop, web and mobile applications.

• – Static detection of logic errors,, and for and; automatically extracts - from code. • – Supports Java, C# and C/C++ with a focus on dependency analysis, automated architecture check, metrics and the ability to add custom metrics and code-checkers. • – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems.

Supports languages: ABAP, Android (Java), C, C++, CSS, Objective-C, COBOL, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Swift, Visual Basic 6, Web, XML, Python. • -Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java, ABAP. • - A platform-independent, command-line static source code analyzer for Java, C, C++, RPG IV (AS/400) and Python. • A Static Application Security Testing (SAST) Solution –A tool to analyze and identify software security vulnerabilities in C, C++, Java, JSP,.NET, JavaScript, C/C++, PHP, ASP.NET, VBScript, Python, Objective-C, ABAP, XML, SWIFT, HTML, Android Java and configuration files. Integrates with Jenkins and other build servers and IDEs like VisualStudio and IntelliJ to enable continuous integration. • is a multi-purpose and multi-language monitoring tool for software projects. • – A multi-platform tool for code analysis and comprehension of large code bases.

Supported languages include Ada, Cobol, Ansi C, K&R C, Ansi C++, C#, FORTRAN, Java, Jovial, Pascal, PL/M, Python, VHDL, Objective C, Objective C++, HTML, PHP, JavaScript, and XML. • – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++,.NET (C#,, VB.NET, ASP.NET), Java, JSP,,,, (including ),,,,,,, and, including mobile applications on the and platforms and written in cross platform frameworks.

• – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C, C++, Java, JavaScript, ASP, PHP, HTML-CSS, ColdFusion,, and other file types. It integrates with other scanners, including,, and Pixy. • Application Analyzer - – (TCS) MasterCraft is a brand of IT Process Automation and Management software tools from Tata Consultancy Services Limited. Application Analyzer is a static code analyzer which supports COBOL, RPG, PL/I, Java, Javascript,.NET, VB, [ ] • (Codename Roslyn) – Open-source compiler framework for and developed by.NET.

Provides an API for analyzing and manipulating syntax. • – Combines static code analysis and automatic refactoring to best practices which allows automatic correction of code errors and violations; supports C# and VB.NET. • – A plugin for which alerts users to violations of best practices. • Designite - A software design quality assessment tool for C#. It computes various and detects 37 and.

It offers an extension to. • – Free static analysis for Microsoft.NET programs that compiles to. Standalone and integrated in some editions; by Microsoft. • – Simplifies managing a complex.NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into. • dotTEST – A static analysis, unit testing, and code review plugin for; works with languages for Microsoft.NET Framework and.NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.

• – Supports C#, Java and C/C++ with a focus on dependency analysis, automated architecture check, metrics and the ability to add custom metrics and code-checkers. • – Analyzes C# source code to enforce a set of style and consistency rules. Icon Package R Full Version Download. It can be run from inside of or integrated into an project. [ ] • - Verification tools for SPARK 2014 – a subset of Ada 2012 that leverages Ada's support for contracts. Designed to offer soundness, depth, modularity and efficiency of verification.

• – A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections. • – An advanced static analysis tool that detects potential run-time logic errors in Ada programs. • – for the validation of numerical properties of programs. • – A software analysis and testing tool suite for Ada83/95. • – Uses to detect and prove the absence of certain in.

• – (Bought by ) Static detection of logic errors,, and redundant code for Ada; automatically extracts - from code., [ ] • AdLint is an open source and free source code static analyzer for ANSI C89 / ISO C90 and partly ISO C99. • – finds all potential and data races by, can prove their absence, and can prove functional assertions; tailored towards safety-critical C code (e.g. Avionics and automotive).

Includes checker. • – A static code analysis tool suite that performs various analyses such as architecture checking, interface analyses, checking, and clone detection. • – (Berkeley Lazy Abstraction Software verification Tool) – An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker. • - A C and C++ static analysis tool which is an optional add-on to IAR Systems Embedded Workbench IDE for embedded microcontroller designs.

C-STAT provides checking to standards as well as (CWE) and. There is also a complementary tool called which provides live runtime analysis of code as well.

• – A C++ IDE that extends with many new static code analysis and refactoring plug-ins, for example to make code const-correct. • – Open-source tool that checks for several types of errors, including use of. • – An open-source tool that checks for compliance with Google's style guide for C++ coding.

• – An open-source compiler that includes a static analyzer. • – An open-source C++ “linter” tool based on the Clang compiler. It can detect and automatically fix typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static analysis. Clang-tidy is modular and provides a convenient interface for writing new checks. • – An open-source source code pattern matching and transformation. • – A static analysis tool for C/C++.

• – Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code. • – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.

• – An open-source IDE that includes a static code analyzer. • -a simple open-source software program that examines C/C++ source code and reports possible security weaknesses (“flaws”) sorted by risk level.

• – for the validation of numerical properties of programs. • – An open-source static analysis framework for C. • – A software analysis tool for C/C++.

• – A tool for C/C++, see above. • – Developed by an engineering team at Facebook with open-source contributors.

Targets null pointer and other memory problems. Available as open source on github. • – A static analysis tool for C/C++. • – The original static code analyzer for C. • – A software analysis and testing tool suite for C/C++. • – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for and -based IDEs.

• – A software analysis tool for C with partial support for C++2011. • – Uses to detect and prove the absence of, Dead Code in as well as used to check all MISRA (2004, 2012) rules (directives, non directives).

• – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support. • – a project of for checking that software satisfies critical behavioral properties of the interfaces it uses. • – An open-source tool designed to find faults in the kernel. • – An open-source evolved version of Lint, for C. • – An IDE that provides static code analysis for C/C++ both in the editor environment and from the compiler command line.

[ ] Tool Latest release Notes 2017-11-26 Yes; No Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed from Checkstyle. 2017-01-19 No; Proprietary Coverity is a static analysis and Static Application Security Testing (SAST) platform that finds critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches. 2017-06-28 Yes; No Cross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD.

2015-03-06 Yes; Based on from the University of Maryland. Is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. 2017-10-19 Yes; Developed by an engineering team at Facebook with open-source contributors.

Targets null pointer exceptions, leaks, and thread safety issues. 2017-11-30 Yes; Yes A leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD. 2017-06-11 No; Proprietary Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code. 2016-12-05 No; Proprietary Yes Testing and static code analysis product.

No; Proprietary Analysis and testing tool suite. 2017-07-01 Yes;,, Yes A static ruleset based source code analyzer that identifies potential problems.

No; Proprietary Object oriented code queries for static program analysis. 2017 No; Proprietary Yes (formerly SonarJ) Monitors conformance of code to intended architecture, also computes a wide range of software metrics. Plugins for Eclipse, IntelliJ, Maven,, and. -Explorer 2017 Yes; Proprietary No Free feature limited variant of with a focus on dependency visualization and metrics. Yes; A language manipulation and optimization framework consisting of intermediate languages. Yes; No Library to write your own static analyses and architectural rule checkers for Java.

Can be integrated in Maven and Gradle. 2011-05-26 Yes; A platform to manage software quality. 2016-02-01 No; Proprietary Yes A platform-independent, command-line static source code analyzer. 2014-03-28 No; Proprietary A static analysis tool focused on finding concurrency bugs. No; Proprietary Security analysis of Java Web applications including the behavior of the applied Web frameworks.

[ ] • –A modern, pluggable linting utility for JavaScript • – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions. • – A community driven fork of JSLint. • – JavaScript and validator., Objective-C++ [ ] • – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in. • – Developed by an engineering team at Facebook with open-source contributors. Targets null pointers, leaks, API usage and other lint checks. Available as open source on github.

• – A tool for C,C++, Objective-C., see above. Opa [ ] • includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as attacks and database code injections. [ ] • – Checks Debian software packages for common inconsistencies and errors. • – Checks for common problems in rpm packages. [ ] • – A tool to help enforce common Perl best practices. Most best practices are based on 's book.

• –This tool provides metrics for Perl. Code coverage metrics describe how thoroughly tests exercise code. • – Program that acts as a and tester/enforcer for coding practices in Perl. • – An IDE for Perl that also provides static code analysis to check for common beginner errors. [ ] • – A static analysis tool for security purposes. • – PHP Mess Detector.

• – A static code analyzer and audit framework for vulnerabilities in PHP applications. • - PHP Linter, Code Analyzer and Tester [ ] • - A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues. • - A PL/SQL tool that reports on programming issues and helps understand and maintain complex code (,,,, etc.). [ ] • Bandit – AST-based static analyzer from OpenStack Security Group, with a focus on security alerts • – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. • – similar to Pylint • – Eclipse-based Python IDE with code analysis available on-the-fly in the editor or at save time. • – fast AST-based static analyzer • – Static code analyzer. Quite stringent; includes many stylistic warnings as well.

[ ] • – Checks for structural similarities and detects code duplication. • – Detects complex classes and methods using ABC metrics. • – Checks for higher level. • – Style checker based on the community driven Ruby Style Guide.

[ ] • – Checks for N+1 queries slowing down database access. • – Detects and warns about common security vulnerabilities. [ ] • – ShellCheck is a tool that gives warnings and suggestions for bash/sh shell scripts [ ] • - A SQLServer tool that reports on programming issues and helps understand and maintain complex code (,,,, etc.). Formal methods tools [ ] Tools that use, i.e.

Over-approximating a rigorous model, approach to static analysis (e.g., using static ). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no 'unconditional' soundness).

Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one. • – finds all potential by, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. • – Statically determines and documents - and for subprograms; statically checks at all call sites. • – Uses -based static code analysis techniques such as and combined with techniques to detect or prove the absence of certain in. • and – Based on, an enriched version of Java. • – An open-source static analysis framework for C.

• – analysis platform for Java based on with specifications in the; can generate as counterexamples; stand-alone GUI or integration • – A formal methods tool that uses and to prove that software under analysis correctly meets its mathematical specification. • – Uses, a formal methods based technique, to detect and prove the absence of certain in for C/C++, and Ada • including the – Based on the language, a subset of.

See also [ ]. Retrieved Apr 25, 2017. Retrieved Dec 9, 2012. • Baldassari, Boris (2012)., International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.

Retrieved 2016-12-08. Retrieved 2009-09-03. • Cousot, Patrick (2007).. IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.

External links [ ] • • at Curlie (based on ) • • • • •, by Nick Rutar, Christian Almazan, and Jeff Foster,. Compares Bandera, 2,, JLint, and PMD.

•, by Rick Jelliffe,.

Chapter I: Welcome to static code analysis, that thing you aren’t doing “The quality of your code is a weak spot in almost every software project you’ll ever touch. This is because ongoing development ensures that even the bits you were once proud of become, over time, first less elegant, then rough, and finally incomprehensible.” —, Java Developer/Author Why should we monitor and fix code quality issues?

If we start at the very beginning, it would be with what we know about developers and their use of the tools and practices used to analyze code quality. There are a few things we found out about how developers think about code quality analysis, from, which surveyed just over 1000 developers. Here’s what we saw: • 39% of developers don’t monitor code quality at all • 12% of developers monitor, but don’t fix issues • 41% of developers fix some code quality issues • 8% of developers fix all code quality issues So, code quality analysis is not a terrible popular category to start with–which is probably one reason that most apps, even the best of them, suffer from creeping bugs and errors at some point.

And do you know what else we found when we correlated these answers with others in the report? Fixing code quality issues has a significant effect on, well, the overall quality of your code, as well as your ability to accurately predict when the software can be delivered to end users. If the choice is between doing nothing and fixing all code quality issues that are identified, this is the analysis that emerged from the responses provided by the sample population: • Developers reported up to 9% better predictability for app delivery • Developers reported up to 7% better app quality The point here is, monitoring and fixing code quality issues is something that is proven to raise the quality of your application AND your ability to deliver that application to stakeholders on time.

But it’s clear that the vast majority of developers aren’t taking full advantage of tools designed to improve app quality. Perhaps most developers don’t know where to start. For developers, the main point can be summed up in one sentence: How are you supposed to integrate your tool of choice into your development cycle so it can find relevant issues and allow the team to fix them?

There are many aspects of “code quality” that we can sink our teeth into, but we’ve decided that Static Code Analysis is an essential building block in your pyramid of tools that help improve the quality of your code. However, developers are using tools that fit into other categories as well, such as: Dynamic Code analysis The simplest difference between Static and Dynamic analysis tools is that the former runs in the development environment and the latter needs to be active during the runtime of the application under analysis.

Typical dynamic code analyzers profile your system and monitor its health. Both execution time and memory usage profilers, figuring out number of database transactions per request, the average size of an user session object, etc. Require the system to be under a load comparable with the intended in production environment. Dynamic analysis tools often instrument the code to add tracing of method calls, catching and notifying about exceptions, and any other statistics they collect. Profilers Performance is a magical term that never fails to generate interest. Figuring out why your system is slow and how to make it faster is a rewarding exercise. Combine this with the fact that you can continue optimizing forever (as something will always be a bottleneck), performance-related tasks are always picked first by developers.

It just sounds so cool, and it’s also measurable too. Memory tools Most of existing tools that deal with memory management either provide some high level statistics in real-time, like telling you the size of the heap and the number of classes loaded into the JVM, or work in an offline mode feeding on some traces produced during a run. Garbage collector’s logs, object allocation rates, ability or inability to refresh the memory taken by the classloader of your web-application, these are questions usually attacked with a tool analyzing your application’s memory behavioral patterns. Monitoring tools Monitoring tools are known to everybody, often these are the last man standing before a service goes offline because of some resource limits. Naturally, there are a lot of questions to ask before you start to use any of the tools we discuss later, so in this report we show you what aspects are important to consider when getting started. Oleg Šelajev is an engineer, author, speaker, lecturer and advocate at ZeroTurnaround. He spends his time testing, coding, writing, giving conference talks, crafting blogposts and reports.

He is pursuing a PhD on Dynamic System updates and code evolution. Oleg is a part-time lecturer at the University of Tartu and enjoys speaking and participating in Java/JVM development conferences such as JavaOne, JavaZone, JFokus and others. In his free time, Oleg plays chess at a semi-grandmaster level, loves puzzles and solving all kinds of problems.

Simon Maple is the Director of Developer Relations at ZeroTurnaround, a Java Champion since 2014, JavaOne Rockstar speaker in 2014, Duke’s Choice award winner, Virtual JUG founder and organiser, London Java Community co-leader and RebelLabs author. He is an experienced speaker, having presented at JavaOne, JavaZone, Jfokus, DevoxxUK, DevoxxFR, JavaZone, JMaghreb and many more including many JUG tours. His passion is around user groups and communities. When not traveling, Simon enjoys spending quality time with his family, cooking and eating great food.

Thanks for the article. SonarQube positions itself as a replacement for PMD+FindBugs+Checkstyle+etc: Have you investigated what’s their current “coverage” and if their plans are viable?

If they succeed that would be a big step forward in code conventions enforcement.