0 Preface
In the process of Java software development, the development team often spends a lot of time and energy to find and modify code defects. Java static code analysis (static code analysis) tools can help developers quickly and effectively locate code defects and correct these problems in a timely manner during the code construction process, thereby greatly improving software reliability and saving software development and testing costs. At present, there are many kinds of Java static code analysis tools on the market and each has its own advantages. Therefore, this article will introduce the existing four mainstream Java static code analysis tools (Checkstyle, FindBugs, PMD, Jtest), and analyze them from the aspects of functions and features. And comparison, I hope to help Java software developers understand static code analysis tools, and choose appropriate tools to apply to software development.
1 What is static code analysis
Static code analysis refers to checking the correctness of the program only by analyzing or checking the syntax, structure, process, interface, etc. of the source program without running the code under test, and finding out the errors and defects hidden in the code, such as parameter mismatch and ambiguity of nested statements, erroneous recursion, illegal computation, possible null pointer references, etc.
In the process of software development, static code analysis is often carried out before dynamic testing, and can also be used as a reference for formulating dynamic test cases. Statistics prove that in the entire software development life cycle, 30% to 70% of code logic design and coding defects can be found and fixed through static code analysis.
However, because static code analysis often requires a lot of time consumption and the accumulation of related knowledge, for software development teams, using static code analysis tools to automate code inspection and analysis can greatly improve software reliability and save software development costs. cost of testing.
2. Advantages of static analysis
1. Help program developers automate static code analysis to quickly locate code-behind bugs and defects.
2. Help code designers focus more on analyzing and solving code design flaws.
3. Significantly reduces the time spent on code line-by-line inspection, improves software reliability and saves software development and testing costs.
3. Main techniques of static analysis
- Defect pattern matching: Defect pattern matching collects enough common defect patterns from code analysis experience in advance, and pattern-matches the code to be analyzed with the existing common defect patterns to complete the software security analysis. The advantage of this method is that it is simple and convenient, but it requires enough built-in defect modes and is prone to false positives.
- Type inference: Type inference technology refers to inferring the type of operands in the code to ensure that each statement in the code is executed for the correct type. This technology will first predefine a set of type mechanisms, including inference rules such as type equivalence and type inclusion, and then perform inference calculations based on these rules. Type inference can check code for type errors, simple, efficient, and suitable for fast detection of code defects.
- Model checking: Model checking is based on the concept of finite state automata, which abstracts the code being analyzed into an automaton system and assumes that the system is finite state, or can be reduced to finite state through abstraction. In the process of model checking, the influence of each statement in the analyzed code is first abstracted into a state of a finite state automaton, and then the purpose of code analysis is achieved by analyzing the finite state machine. Model checking is mainly suitable for checking time-series characteristics such as program concurrency, but it has a weaker effect on data range and data types.
- Data flow analysis: Data flow analysis is also a software verification technology. This technology analyzes the assignment, reference and transfer of variables in the program by collecting the variable information referenced in the code. Analysis of the data flow can determine the definition of variables and the situation in which they are referenced in the code, and can also check the abnormality of the code data flow, such as reference before assignment, only assignment without reference, etc. Data flow analysis is mainly suitable for examining the characteristics of the data domain in the program.
4. Mainstream static analysis tool - Java
Checkstyle FindBugsPMDJtest sonarqube(原名sonar)
Mobile Application Java Android App Static Analysis: Infer (from Google)
http://8453383.iteye.com/blog/1428816 http://blog.chinaunix.net/uid-301743-id-5081405.html
5SonarQube and Jenkins integration
See details under Window: http://blog.csdn.net/wuxuehong0306/article/details/50847893
Under Linux:
5.1 Job mode
It is the same as the normal Job configuration, but configure the script run by the Sonar plugin to complete the same function as 5.2
5.2 Plug-in method
The principle of Jenkins and Sonar integration is probably like this. Jenkins downloads the sonar plug-in and configures it in its plug-in management center, and associates it with sonar. Then Jenkins will notify sonar to perform source code analysis after completing an integrated build. Everyone knows that Jenkins downloads the source code from SVN during the construction process, and sonar parses the source code downloaded by Jenkins, and displays various parameters such as the quality of the code to the user in a graphical page.
Let's introduce how Jenkins and Sonar integrate and coordinate work.
Plugin installation
1. Online installation:
Select Jenkins's System Management -> Manage Plugins -> Optional Plugin column, search for SonarQube Plugin, and click Install directly.
However, this online installation generally does not work, because you need to visit Google to download.
So we use the offline installation method.
2. Offline installation:
①. First download the SonarQube Plugin: https://wiki.jenkins-ci.org/display/JENKINS/SonarQube+plugin , after downloading is the sonar.hpi file.
②. Select Jenkins' System Management -> Manage Plugins -> Advanced -> Upload Plugins
Upload the plugin sonar.hpi you just downloaded to Jenkins, and restart Jenkins as prompted.
After restarting, go to Plugin Management -> Installed -> Check if SonarQube Plugin exists
If the above plugin appears, it means the installation is successful.
SonarQube Plugin configuration
找到系统管理->系统设置->SonarQube栏, 进行下列设置即可。
进行一次项目分析
选择一条可以成功构建的项目,修改其配置。
增加构建后操作步骤->SonarQube 即可。
添加配置后,项目的页面会出现SonarQube的标志
然后点击立即构建,构建完成后,Jenkins会通知sonar进行代码质量分析,登陆sonar查看
已经多出了刚才配置的项目,这样咱们就可以很方便的进行代码走查,分析代码质量了。咱们距离自动化环境又进了一步。