FindBugs, A Way to Automate Code Review

Code review helps to improve the code quality and avoid runtime failures resulting from poor coding practices. It can also give you a chance to modify your code for simplicity, better exception handling, readability and easy maintenance. Most importantly, I found while explaining my code to someone, as part of code review, I myself got to know many things that could be improved.

But over the time developers feel code review as one of the most boring activity of a Java project. Reviewing thousands of lines of somebody else’s code proves to be the real pain. To make matter worse, code reviews are typically constrained by tight project deadlines thus leaving less time for detailed evaluation of code. Hence, code reviews often become just an exercise in code beautification. To resolve the problem some aspect of code review has been automated via tools and one such solution is tools for Static Code Analysis.

Static Code Analyzer Automates Code Review Process. How?

Static code analysis is about analyzing the source code without executing, to find potential vulnerabilities, bugs and security threats. It’s called “Static” because the code isn’t executed to find the problems; it is checked analytically. Static code analyzer looks for patterns/rules that can cause security vulnerability or other code quality problems. There are many good reasons to use static code analysis in your project; one of them is thorough analysis of your code to find out

• If there are vulnerabilities in the distant corners of your application, which are not even used, then static analysis has a higher probability of finding those vulnerabilities.
• Second benefit of using static code analysis is that you can define your project specific rules, and those rules will be ensured to follow without any manual intervention. If any team member forgets to follow those rules, these will be highlighted by static code analyzer like Fortify or FindBugs. Few of the rules that can be identified by these tools are as follows:
  • Possible NullPointerException(s) can be easily identified with these tools
  • Equal objects must have equal hashCode(s)
  • Checking String equality using == or !=

• Third major benefit of static code analysis is these tools are instrumental enough to catch the bugs early in development cycle, which means less cost to fix them. All these advantage of static code analyzer can be best utilized only if they are part of build process.
• Static code analyzer tools can be easily integrated in IDE like eclipse using available plugins and can also be integrated in the release build process.

There are many tools available for the static code analysis for Java code review like.

• AgileJ StructureViews
• ObjectWeb ASM
• Checkstyle
• FindBugs
• GrammaTech CodeSonar
• Fortify

All of above-named tools are well-known & competitive-enough. We have used FindBugs in multiple client engagements and found it to be very capable tool with hundreds of rules that can help do Static Code Analysis of your project quickly.

FindBugs …. An Awesome Way to Automate Code Review!!!

FindBugs is based on static analysis strategy to identify hundreds of potential types of errors in Java programs. It categorizes potential errors are in four separate types as follows:

• Scariest
• Scary
• Troubling
• Of Concern

Above four types, defines the possible severity of error, identified. FindBugs operates on Java byte code rather than source code. Plugins are also available for various Java IDE’s like Eclipse, IntelliJ IDEA, and NetBeans. I have tried it out with eclipse & found it very simple and easy to use. I have explained my experience to integrate it with eclipse, below:

Eclipse Plug-in Support

To get better understanding of the tool, one can install the FindBugs eclipse plug-in. It’s very easy to install in Eclipse. Just go to Help Menu and Click on Eclipse Marketplace and search for Find Bugs and install it.

Working with it

It can be executed as:

• Independent process (Eclipse plug-in).
• As part of release build & deployment process (Ant or Maven plug-in).

Let me explain, via screenshots, my understanding to use it in eclipse. Please follow steps below:

• Please make sure that it has been installed in the Eclipse
• Right click on your project. Go to FindBugs and click on FindBugs. It will take few minutes to complete

• After finishing the first step, you can see the results segregated in types as per the severity level, in Bug Explorer window. In given example it is showing results segregated into 2 types. i. e. ‘Scary’ and ‘Of Concerns’

• Now expand the menu, by clicking on type, to show the errors

In the particular code above, one error is shown as Null pointer dereference in ‘Scary’ type. As you can see in the code, I have created object of string array as null and in the next line, using it in for loop without instantiating the records object that will throw ‘NullPointerException’. So, with the help of the FindBugs we can easily identify potential bugs without executing the program.

That’s all about FindBugs and how it could be used in Java project i.e. identify bugs in the early stages of development. Even if it is not the part of your project to use it, you can do it as a self-initiative for improving your coding skills and writing bug free code.