static-analysis

We are introducing static analysis tools into the build system for our Java product. We are using Maven2 so Checkstyle and PMD integration come for free. However it looks like there is a large overlap in functionality between these two tools, in terms of enforcing basic style rules. Is there a benefit from utilizing both of these? I don't want to maintain 2 tools if one will work. If we choose one, which one should we use and why? We are also planning on using FindBugs. Are there other static analysis tools we should look at? Update: Consensus seems to be that PMD is preferred over CheckStyle.

Okay, I have yet another Code Contracts question. I have a contract on an interface method that looks like this (other methods omitted for clarity): [ContractClassFor(typeof(IUnboundTagGroup))] public abstract class ContractForIUnboundTagGroup : IUnboundTagGroup { public IUnboundTagGroup[] GetAllGroups() { Contract.Ensures(Contract.Result<IUnboundTagGroup[]>() != null); Contract.Ensures(Contract.ForAll(Contract.Result<IUnboundTagGroup[]>(), g => g != null)); return null; } } I have code consuming the interface that looks like this: public void AddRequested(IUnboundTagGroup group) { foreach

I'm working on a large project where, even with 10s of 1000s of automated tests and 100% code coverage, we're getting a ridiculous number of errors. About 95% of errors we get are NullReferenceExceptions. Is there any way to enforce null-checking at compile time? Barring that, is there any way to automagically enforce null-checking in unit tests without having to write the tests for null cases myself? You should look into Code Contracts . The static checker is only available for the higher-end VS editions, but that's basically what you're after. There are plenty of resources online, and <plug>

I want to verify binary compatibility between 2 JARs. Following the suggestions in this answer I used jboss tattletale but it can find only missing classes. How can I find if there are missing methods? Is it possible at all? E.g. "Depends - on" class Foo depends on Bar (like many other middle class workers) import org.overlyusedclassnames.Bar public class Foo{ public void someMethod(){ Bar tender = new Bar(); tender.getJohnnyRedLabel(); tender.getJohnnyBlueLabel(); //this method is new in the Bar class } } "Compile time" class package org.overlyusedclassnames; /** * @Since 1992 * Changes:

I would very much like to integrate pylint into the build process for my python projects, but I have run into one show-stopper: One of the error types that I find extremely useful--: E1101: *%s %r has no %r member* --constantly reports errors when using common django fields, for example: E1101:125:get_user_tags: Class 'Tag' has no 'objects' member which is caused by this code: def get_user_tags(username): """ Gets all the tags that username has used. Returns a query set. """ return Tag.objects.filter( ## This line triggers the error. tagownership__users__username__exact=username).distinct() #

What code analysis tools do you use on your Java projects? I am interested in all kinds static code analysis tools (FindBugs, PMD, and any others) code coverage tools (Cobertura, Emma, and any others) any other instrumentation-based tools anything else, if I'm missing something If applicable, also state what build tools you use and how well these tools integrate with both your IDEs and build tools. If a tool is only available a specific way (as an IDE plugin, or, say, a build tool plugin) that information is also worth noting. Greg Mattes For static analysis tools I often use CPD, PMD ,

I have a large source repository split across multiple projects. I would like to produce a report about the health of the source code, identifying problem areas that need to be addressed. Specifically, I'd like to call out routines with a high cyclomatic complexity, identify repetition, and perhaps run some lint-like static analysis to spot suspicious (and thus likely erroneous) constructs. How might I go about constructing such a report? For measuring cyclomatic complexity, there's a nice tool available at traceback.org . The page also gives a good overview of how to interpret the results. +1