Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2023-static-analysis.pdf

Avatar for Jeanne Boyarsky Jeanne Boyarsky
July 20, 2023
190
0

 2023-static-analysis.pdf

Avatar for Jeanne Boyarsky

Jeanne Boyarsky

July 20, 2023

More Decks by Jeanne Boyarsky

See All by Jeanne Boyarsky
JavaOne Java 25
Avatar for Jeanne Boyarsky boyarsky
0
73
JUnit 6 + exploring the testing ecosystem
Avatar for Jeanne Boyarsky boyarsky
0
76
Timeline of a (NYC) FRC Session/Regional
Avatar for Jeanne Boyarsky boyarsky
0
67
2025 Toastmasters Path Reference
Avatar for Jeanne Boyarsky boyarsky
0
190
2025 Toastmasters Path Changes Update Overview and Reference
Avatar for Jeanne Boyarsky boyarsky
0
89
Mentor_Conference_Presentation.pdf
Avatar for Jeanne Boyarsky boyarsky
0
52
2025-java-does-what-now.pdf
Avatar for Jeanne Boyarsky boyarsky
0
120
Beyond JUnit 5
Avatar for Jeanne Boyarsky boyarsky
0
88
Java 21 Certification (or learning new features)
Avatar for Jeanne Boyarsky boyarsky
0
160

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
275
41k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
840
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
163
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
1.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.5k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
470
Lightning talk: Run Django tests with GitHub Actions
Avatar for Sarah Abderemane sabderemane
0
200
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.7k
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
3.4k

Transcript

  1. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1 Improving your Code with Static Analysis Tools

    Jeanne Boyarsky Thursday, July 20th 2023 UberConf speakerdeck.com/boyarsky https://github.com/boyarsky/2023-uberconf- static-analysis

  2. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Pause for a Commercial 2 Java certs: 8/11/17

    Book giveaway at end!

  3. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 3 Intro

  4. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 4 Identify errors in code without running it

  5. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5 Brainstorm: what are some things static analysis

    can find? •Functionality defects •Anti patterns •Performance issues •Security problems •Coding standard violations

  6. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6 Static Analysis SAST (Static Application Security Testing)

    Coding standards, functionality, etc Security modeling, etc Security static analysis

  7. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 7

  8. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 8 Checkstyle

  9. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9 Created 2001 Java versions 10.X - Java

    11-17 9.X - Java 8 Focus Coding standards Limits One file at a time Languages Java

  10. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 10 Sample Rules

  11. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 11 Sample Report

  12. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 12 Sample Report

  13. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13 Artifact URL Docs https://checkstyle.sourceforge.io/ GitHub https://github.com/checkstyle/checkstyle/ releases/

    Ant Task https://checkstyle.sourceforge.io/ anttask.html Maven Plugin https://maven.apache.org/plugins/maven- checkstyle-plugin Gradle Plugin https://docs.gradle.org/current/userguide/ checkstyle_plugin.html URLs

  14. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 14 •Older tool •“Sun” and Google styles built

    in •One file at a time •Not as powerful as others Caveats

  15. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 15 Config

  16. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 16 Output

  17. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 17 Suppressions Can also use xml based excludes

  18. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 18 Custom Rule Demo

  19. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 19 SpotBugs

  20. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20 Created FindBugs SpotBugs 2006 2016 Java versions

    Any? (old docs say 9 but works with 17) Focus Scanning bytecode Languages Java

  21. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 21 FindBugs?

  22. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 22 Sample Rules

  23. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 23 Sample Report

  24. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24 Artifact URL Main page https://spotbugs.github.io/ Docs https://spotbugs.github.io/

    Rules https://spotbugs.readthedocs.io/en/latest/ bugDescriptions.html Ant task https://spotbugs.readthedocs.io/en/ stable/ant.html Maven Plugin https://spotbugs.github.io/spotbugs- maven-plugin/ Gradle Plugin https://plugins.gradle.org/plugin/ com.github.spotbugs URLs

  25. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25 •Older tool •Support slow - deprecated gradle

    code for three versions •Rules can be finnicky •Report kludgy •Docs varying degrees of dated Caveats

  26. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 26 Config

  27. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 27 Output

  28. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 28 Suppressions

  29. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29 Custom Rule Demo Or bytecode directly if

    need to Object size = stack.getStackItem(0).getConstant(); Object str = stack.getStackItem(1).getConstant();

  30. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 30 Custom Rule Demo Couldn’t get Gradle to

    recognize it. Docs say to drop in plugin directory/ Eclipse.

  31. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 31 PMD

  32. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32 Created 2002 Java versions Up to Java

    20 Focus Coding issues Add ons Copy paste detection Languages Many

  33. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 33 What does PMD stand for? •Nothing •Retrofitted

    Programming Mistake Detector

  34. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 34 Sample Rules

  35. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 35 Sample Report

  36. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36 Artifact URL Main page https://pmd.github.io/ Docs https://docs.pmd-code.org/latest/

    Rules https://pmd.github.io/pmd/ pmd_rules_java.html Ant task https://pmd.github.io/pmd/ pmd_userdocs_tools_ant.html Maven Plugin https://maven.apache.org/plugins/maven- pmd-plugin/ Gradle Plugin https://docs.gradle.org/current/userguide/ pmd_plugin.html URLs

  37. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 37 Config

  38. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 38 Output

  39. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 39 Suppressions

  40. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 40 Custom Rule Demo

  41. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 41 Custom Rule Demo

  42. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 42 Sonar

  43. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 43 Created 2006 Java versions Up to Java

    17 Focus Various Company SonarSource Languages Many

  44. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44 Types •Sonar Lint - IDE •Open source

    web app/ scanner •Commercial web app/ scanner •SaaS - https://sonarcloud.io

  45. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 45 Sample Rules

  46. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 46 Sample Report

  47. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47 Artifact URL Main page https://www.sonarsource.com/products/ sonarqube Docs

    https://docs.sonarqube.org/latest/ Rules https://rules.sonarsource.com/java/ Ant task https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- ant/ Maven Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- maven/ Gradle Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- gradle/ URLs

  48. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 48 Config

  49. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 49 Suppressions

  50. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 50 Custom Rule Demo

  51. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky + IDE Support 51

  52. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Book Giveaway 52