How to find weakness in your code – Static code analysis
Static program analysis(Static Code Analysis) is the analysis of computer software that is performed without actually executing programs — Wikipedia. This blog, we would discuss on Static Code Analysis.
Static code analysis refers to the technique of approximating the runtime behavior of a program. In other words, it is the process of predicting the output of a program without actually executing it. Static analysis is best described as a method of debugging by automatically examining source code before a program is run. Static analysis is generally good at finding coding issues such as:
-
-
-
-
-
- Programming errors
- Coding standard violations
- Undefined values
- Syntax violations
- Security vulnerabilities
-
-
-
-
The static analysis process is also useful for addressing weaknesses in source code that could lead to buffer overflows — a common software vulnerability.
Lately, however, the term “Static Code Analysis” is more commonly used to refer to one of the applications of this technique rather than the technique itself — program comprehension — understanding the program and detecting issues in it (anything from syntax errors to type mismatches, unused exceptions, performance hogs likely bugs, security loopholes, etc.)
Static Code Analysis for Java:
-
-
- Checker Framework – Pluggable type-checking for Java.
- checkstyle – Checking Java source code for adherence to a Code Standard or set of validation rules (best practices).
- ck – Calculates Chidamber and Kemerer object-oriented metrics by processing the source Java files.
- ckjm – Calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.
- CogniCrypt – Checks Java source and byte code for incorrect uses of cryptographic APIs.
- DesigniteJava ©️ – DesigniteJava supports detection of various architecture, design, and implementation smells along with computation of various code quality metrics.
- Doop – Doop is a declarative framework for static analysis of Java/Android programs, centered on pointer analysis algorithms. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end (fact generation, processing, statistics, etc.).
- Error-prone – Catch common Java mistakes as compile-time errors.
- fb-contrib – A plugin for FindBugs with additional bug detectors.
- forbidden-apis – Detects and forbids invocations of specific method/class/field (like reading from a text stream without a charset). Maven/Gradle/Ant compatible.
- google-java-format – Google Style Reformat.
- HuntBugs – Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
- IntelliJ IDEA ©️ – Comes bundled with a lot of inspections for Java and Kotlin and includes tools for refactoring, formatting and more.
- JArchitect ©️ – Measure, query and visualize your code and avoid unexpected issues, technical debt and complexity.
- JBMC – Bounded model-checker for Java (bytecode), verifies user-defined assertions, standard assertions, several coverage metric analyses.
- NullAway – Type-based null-pointer checker with low build-time overhead; an Error Prone plugin.
- OWASP Dependency Check – Checks dependencies for known, publicly disclosed, vulnerabilities.
- qulice – Combines a few (pre-configured) static analysis tools (checkstyle, PMD, Findbugs, …).
- Soot – A framework for analyzing and transforming Java and Android applications.
- Spoon – Spoon is a metaprogramming library to analyze and transform Java source code (incl Java 9, 10, 11, 12, 13, 14). It parses source files to build a well-designed AST with powerful analysis and transformation API. Can be integrated in Maven and Gradle.
- SpotBugs – SpotBugs is FindBugs’ successor. A tool for static analysis to look for bugs in Java code.
-
To get more details on static code analysis list, kindly check the github link
https://github.com/analysis-tools-dev/static-analysis#java
