posted Feb 7, 2013, 12:33 PM by Markus Sprunck
updated Feb 28, 2013, 1:03 PM
By Markus Sprunck; Revision: 1.1; Status: final; Last Content Change: Feb 11, 2013;
The static code analysis tools Findbugs, PMD and Checkstyle are widely used in the Java development community. Each has an own purpose, strength and weaknesses. The following article compares the most important aspects and gives some recommendations for the introduction in your teams.
Direct Comparison of Findbugs, PMD and Checkstyle
Table 1: Most important aspects of tools
| License|| Lesser GNU Public License|| BSD-style license|| Lesser General Public License|
|| finds - as the name
suggests - bugs in Java
| looks for potential problems,
possible bugs, unused and
sub-optimal code and
in the Java source code
| scans source code and looks for
coding standards, e.g.
the Sun Code Conventions, JavaDoc
||- finds often real defects
- low false detected rates
- fast because byte code
| - finds occasionally real defects
- finds bad practices
| - finds violations of coding conventions
|| - is not aware of the sources
- needs compiled code
| - slow duplicate code detector
| - can't find real bugs
| Number of rules
[max in Sonar]
| Rule Categories
- Basic JSF
- Basic JSP
- XPath in XSL
- Jakarta Commons Logging
- Strict Exceptions
- Security Code Guidelines
- Java Logging
- Android -Controversial
- Type Resolution
- Empty Code
- String and StringBuffer
- Code Size
- Unused Code
- Import Statements
- Clone Implementation
- Basic Ecmascript
- Basic XML
How to Introduce Findbugs, PMD or Checkstyle?
As you may see in the direct comparison - the tree tools have some aspects and/or rules in common, but they give just in the combination 100% functionality you may need in your project.
In the beginning (first weeks) the best is to start with Findbugs rules. You will not have a lot discussions about the warnings with the developers. Almost all warnings of Findbugs are without doubt possible defects or things which are harmful in some way. After the developers are used to work with static code analysis you should start with some PMD rules and later with the more style questions from Checkstyle. Be careful with the Checkstyle rules - just activate what is really necessary and accepted by the team.
My recommended way to use the three tools is Codehaus Sonar. The dashboard of Sonar summarizes the results in one report, enables to manage a central rule set and an excellent Eclipse Plug-in for local analysis is available. You may also like Top 10 Lessons Learned from 2 Years Work with Codehaus Sonar
Please, do not hesitate to contact me if you have any ideas for improvement and/or you find a bug.
Is a static code analysis tool that analyses Java byte code and detects a wide range of problems.
Is a development tool to help programmers write Java code that adheres to a coding standard.
Scans source code and looks for potential problems possible bugs, unused and sub-optimal code and
|| Feb 7, 2013
|| Markus Sprunck
|| first version
| 1.1|| Feb 11, 2013|| Markus Sprunck|| How to Introduce Findbugs, PMD or Checkstyle? added |