Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2023-static-analysis.pdf

Jeanne Boyarsky
July 20, 2023
0
32

 2023-static-analysis.pdf

Jeanne Boyarsky

July 20, 2023
Tweet

More Decks by Jeanne Boyarsky

See All by Jeanne Boyarsky
Preparing for the Java 21 Certification and Learning New Features
boyarsky
0
65
2024-java21.pdf
boyarsky
0
16
NYC FRC 2024 Kickoff Awards Presentation
boyarsky
0
53
Preparing to Apply and Speak at Conferences
boyarsky
0
37
Refactoring to Java 21
boyarsky
1
31
Readable Regular Expressions in Java
boyarsky
0
86
Readable Regular Expressions
boyarsky
0
170
Java Idioms for becoming a more powerful developer
boyarsky
0
130
12 Tips for Writing Readable Code
boyarsky
0
180

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Design by the Numbers
sachag
274
18k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
GraphQLの誤解/rethinking-graphql
sonatard
51
9.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
What the flash - Photography Introduction
edds
64
11k
Ruby is Unlike a Banana
tanoku
96
10k
Practical Orchestrator
shlominoach
182
9.7k
GitHub's CSS Performance
jonrohan
1025
450k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k

Transcript

  1. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1 Improving your Code with Static Analysis Tools

    Jeanne Boyarsky Thursday, July 20th 2023 UberConf speakerdeck.com/boyarsky https://github.com/boyarsky/2023-uberconf- static-analysis

  2. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Pause for a Commercial 2 Java certs: 8/11/17

    Book giveaway at end!

  3. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 3 Intro

  4. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 4 Identify errors in code without running it

  5. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5 Brainstorm: what are some things static analysis

    can find? •Functionality defects •Anti patterns •Performance issues •Security problems •Coding standard violations

  6. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6 Static Analysis SAST (Static Application Security Testing)

    Coding standards, functionality, etc Security modeling, etc Security static analysis

  7. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 7

  8. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 8 Checkstyle

  9. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9 Created 2001 Java versions 10.X - Java

    11-17 9.X - Java 8 Focus Coding standards Limits One file at a time Languages Java

  10. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 10 Sample Rules

  11. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 11 Sample Report

  12. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 12 Sample Report

  13. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13 Artifact URL Docs https://checkstyle.sourceforge.io/ GitHub https://github.com/checkstyle/checkstyle/ releases/

    Ant Task https://checkstyle.sourceforge.io/ anttask.html Maven Plugin https://maven.apache.org/plugins/maven- checkstyle-plugin Gradle Plugin https://docs.gradle.org/current/userguide/ checkstyle_plugin.html URLs

  14. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 14 •Older tool •“Sun” and Google styles built

    in •One file at a time •Not as powerful as others Caveats

  15. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 15 Config

  16. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 16 Output

  17. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 17 Suppressions Can also use xml based excludes

  18. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 18 Custom Rule Demo

  19. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 19 SpotBugs

  20. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20 Created FindBugs SpotBugs 2006 2016 Java versions

    Any? (old docs say 9 but works with 17) Focus Scanning bytecode Languages Java

  21. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 21 FindBugs?

  22. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 22 Sample Rules

  23. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 23 Sample Report

  24. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24 Artifact URL Main page https://spotbugs.github.io/ Docs https://spotbugs.github.io/

    Rules https://spotbugs.readthedocs.io/en/latest/ bugDescriptions.html Ant task https://spotbugs.readthedocs.io/en/ stable/ant.html Maven Plugin https://spotbugs.github.io/spotbugs- maven-plugin/ Gradle Plugin https://plugins.gradle.org/plugin/ com.github.spotbugs URLs

  25. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25 •Older tool •Support slow - deprecated gradle

    code for three versions •Rules can be finnicky •Report kludgy •Docs varying degrees of dated Caveats

  26. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 26 Config

  27. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 27 Output

  28. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 28 Suppressions

  29. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29 Custom Rule Demo Or bytecode directly if

    need to Object size = stack.getStackItem(0).getConstant(); Object str = stack.getStackItem(1).getConstant();

  30. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 30 Custom Rule Demo Couldn’t get Gradle to

    recognize it. Docs say to drop in plugin directory/ Eclipse.

  31. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 31 PMD

  32. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32 Created 2002 Java versions Up to Java

    20 Focus Coding issues Add ons Copy paste detection Languages Many

  33. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 33 What does PMD stand for? •Nothing •Retrofitted

    Programming Mistake Detector

  34. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 34 Sample Rules

  35. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 35 Sample Report

  36. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36 Artifact URL Main page https://pmd.github.io/ Docs https://docs.pmd-code.org/latest/

    Rules https://pmd.github.io/pmd/ pmd_rules_java.html Ant task https://pmd.github.io/pmd/ pmd_userdocs_tools_ant.html Maven Plugin https://maven.apache.org/plugins/maven- pmd-plugin/ Gradle Plugin https://docs.gradle.org/current/userguide/ pmd_plugin.html URLs

  37. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 37 Config

  38. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 38 Output

  39. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 39 Suppressions

  40. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 40 Custom Rule Demo

  41. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 41 Custom Rule Demo

  42. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 42 Sonar

  43. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 43 Created 2006 Java versions Up to Java

    17 Focus Various Company SonarSource Languages Many

  44. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44 Types •Sonar Lint - IDE •Open source

    web app/ scanner •Commercial web app/ scanner •SaaS - https://sonarcloud.io

  45. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 45 Sample Rules

  46. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 46 Sample Report

  47. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47 Artifact URL Main page https://www.sonarsource.com/products/ sonarqube Docs

    https://docs.sonarqube.org/latest/ Rules https://rules.sonarsource.com/java/ Ant task https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- ant/ Maven Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- maven/ Gradle Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- gradle/ URLs

  48. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 48 Config

  49. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 49 Suppressions

  50. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 50 Custom Rule Demo

  51. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky + IDE Support 51

  52. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Book Giveaway 52