Comparison of Static Code Analysis Tools for Java - Findbugs vs PMD vs Checkstyle

The static code analysis tools Findbugs, PMD and Checkstyle are widely used in the Java development community. Each has an own purpose, strength and weaknesses. The following article compares the most important aspects and gives some recommendations for the introduction in your teams. 

Direct Comparison - Findbugs vs PMD vs Checkstyle

Most important aspects of tools are listed in the following table:

   
 Findbugs [1]

 
 PMD [3]
 
 Checkstyle [2]
  Version  3.0.0  5.2.2  6.1.1
  License  Lesser GNU Public License  BSD-style license  Lesser General Public License
  Purpose  Potential Bugs
 finds - as the name suggests - bugs in
 Java byte code
 Bad Practices
 looks for potential problems, possible bugs,
 unused and sub-optimal code and over-
 complicated expressions in the Java source
 code
 Conventions
 scans source code and looks for coding standards,
 e.g.  Sun Code Conventions, JavaDoc
 Strengths finds often real defects
- low false detected rates
- fast because byte code
- less than 50% false positive
- finds occasionally real defects 
- finds bad practices
 - finds violations of coding conventions
 Weaknesses - is not aware of the sources
- needs compiled code
- slow duplicate code detector

 - can't find real bugs
 Number of rules   408  234 


 132
 Rule Categories  Correctness
 Bad practice
 Dodgy code
 Multithreaded Correctness 
 Performance Malicious 
 Code Vulnerability
 Security Experimental
 Internationalization


 JSP 
 - Basic JSF 
 - Basic JSP
 XSL 
 - XPath in XSL
 Java 

 - Design 
 - Coupling 
 - Jakarta Commons Logging 
 - Basic 
 - Strict Exceptions 
 - Security Code Guidelines 
 - Java Logging 
 - Android -Controversial 
 - Comments 
 - Type Resolution 
 - Empty Code 
 - String and StringBuffer 
 - Code Size 
 - Braces 
 - Unused Code 
 - Unnecessary 
 - J2EE 
 - JavaBeans 
 - Migration 
 - Import Statements 
 - JUnit 
 - Naming 
 - Finalizer 
 - Optimization 
 - Clone Implementation
 Ecmascript
 
 - Basic Ecmascript 
 - Unnecessary 
 - Braces 
 XML
 
 - Basic XML
 Annotations
 Block Checks
 Class Design
 Coding
 Duplicate Code
 Headers
 Imports
 Javadoc Comments
 Metrics
 Miscellaneous
 Modifiers
 Naming Conventions
 Regexp
 Size Violations
 Whitespace

Recommendations 

As you may see in the direct comparison - the tree tools have some aspects and/or rules in common, but they give just in the combination 100% functionality you may need in your project.

In the beginning (first weeks) the best is to start with Findbugs. You will not have a lot discussions about the warnings with the developers. Almost all warnings of Findbugs are without any doubt possible defects or things which are harmful in some way. After the developers are used to work with static code analysis you should start with some PMD rules and later with the more style questions from Checkstyle. Be careful with the Checkstyle rules - just activate what is really necessary and accepted by the team.

My recommended way to use the three tools is Codehaus Sonar. The dashboard of Sonar summarizes the results in one report, enables to manage a central rule set and an excellent Eclipse Plug-in for local analysis is available. 

The standalone client of Findbugs can be used to analyse Java byte code in the case the source code is not available, e.g. to get an impression about the quality of 3rd party libraries. 

References

[1] Findbugs (http://findbugs.sourceforge.net)
      Is a static code analysis tool that analyses Java byte code and detects a wide range of problems. 

[2] Checkstyle (http://checkstyle.sourceforge.net/index.html)
      Is a development tool to help programmers write Java code that adheres to a coding standard. 

[3] PMD (http://pmd.sourceforge.net/pmd-5.0.0)
     Scans source code and looks for potential problems possible bugs, unused and sub-optimal
     code and over-complicated expressions.

Change History

 Revision  Date  Author  Description
 1.0  Feb 7, 2013  Markus Sprunck   first version
 1.1  Feb 11, 2013  Markus Sprunck  how to Introduce Findbugs, PMD or Checkstyle? added 
 1.2 Aug 15, 2014 Markus Sprunck add links
 1.3 Dec 07, 2014 Markus Sprunck update

Sponsored Link