Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2023-static-analysis.pdf

Jeanne Boyarsky
July 20, 2023
0
110

 2023-static-analysis.pdf

Jeanne Boyarsky

July 20, 2023
Tweet

More Decks by Jeanne Boyarsky

See All by Jeanne Boyarsky
Preparing for the Java 21 cert + Learning New Features
boyarsky
0
76
Mastering Logging in Java
boyarsky
0
55
2025 FRC Changes and Awards - NYC FIRST
boyarsky
0
47
Managing Your Time for Work, Learning, and Fun
boyarsky
0
91
Preparing for the Java 21 Certification and Learning New Features
boyarsky
0
210
2024-java21.pdf
boyarsky
0
69
NYC FRC 2024 Kickoff Awards Presentation
boyarsky
0
100
Preparing to Apply and Speak at Conferences
boyarsky
0
75
Refactoring to Java 21
boyarsky
1
120

Featured

See All Featured
Docker and Python
trallard
44
3.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.3k
Site-Speed That Sticks
csswizardry
5
490
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
For a Future-Friendly Web
brad_frost
176
9.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
4 Signs Your Business is Dying
shpigford
183
22k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
670
Building Adaptive Systems
keathley
41
2.5k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
660
Facilitating Awesome Meetings
lara
54
6.3k

Transcript

  1. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1 Improving your Code with Static Analysis Tools

    Jeanne Boyarsky Thursday, July 20th 2023 UberConf speakerdeck.com/boyarsky https://github.com/boyarsky/2023-uberconf- static-analysis

  2. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Pause for a Commercial 2 Java certs: 8/11/17

    Book giveaway at end!

  3. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 3 Intro

  4. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 4 Identify errors in code without running it

  5. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5 Brainstorm: what are some things static analysis

    can find? •Functionality defects •Anti patterns •Performance issues •Security problems •Coding standard violations

  6. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6 Static Analysis SAST (Static Application Security Testing)

    Coding standards, functionality, etc Security modeling, etc Security static analysis

  7. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 7

  8. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 8 Checkstyle

  9. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9 Created 2001 Java versions 10.X - Java

    11-17 9.X - Java 8 Focus Coding standards Limits One file at a time Languages Java

  10. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 10 Sample Rules

  11. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 11 Sample Report

  12. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 12 Sample Report

  13. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13 Artifact URL Docs https://checkstyle.sourceforge.io/ GitHub https://github.com/checkstyle/checkstyle/ releases/

    Ant Task https://checkstyle.sourceforge.io/ anttask.html Maven Plugin https://maven.apache.org/plugins/maven- checkstyle-plugin Gradle Plugin https://docs.gradle.org/current/userguide/ checkstyle_plugin.html URLs

  14. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 14 •Older tool •“Sun” and Google styles built

    in •One file at a time •Not as powerful as others Caveats

  15. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 15 Config

  16. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 16 Output

  17. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 17 Suppressions Can also use xml based excludes

  18. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 18 Custom Rule Demo

  19. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 19 SpotBugs

  20. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20 Created FindBugs SpotBugs 2006 2016 Java versions

    Any? (old docs say 9 but works with 17) Focus Scanning bytecode Languages Java

  21. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 21 FindBugs?

  22. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 22 Sample Rules

  23. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 23 Sample Report

  24. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24 Artifact URL Main page https://spotbugs.github.io/ Docs https://spotbugs.github.io/

    Rules https://spotbugs.readthedocs.io/en/latest/ bugDescriptions.html Ant task https://spotbugs.readthedocs.io/en/ stable/ant.html Maven Plugin https://spotbugs.github.io/spotbugs- maven-plugin/ Gradle Plugin https://plugins.gradle.org/plugin/ com.github.spotbugs URLs

  25. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25 •Older tool •Support slow - deprecated gradle

    code for three versions •Rules can be finnicky •Report kludgy •Docs varying degrees of dated Caveats

  26. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 26 Config

  27. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 27 Output

  28. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 28 Suppressions

  29. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29 Custom Rule Demo Or bytecode directly if

    need to Object size = stack.getStackItem(0).getConstant(); Object str = stack.getStackItem(1).getConstant();

  30. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 30 Custom Rule Demo Couldn’t get Gradle to

    recognize it. Docs say to drop in plugin directory/ Eclipse.

  31. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 31 PMD

  32. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32 Created 2002 Java versions Up to Java

    20 Focus Coding issues Add ons Copy paste detection Languages Many

  33. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 33 What does PMD stand for? •Nothing •Retrofitted

    Programming Mistake Detector

  34. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 34 Sample Rules

  35. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 35 Sample Report

  36. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36 Artifact URL Main page https://pmd.github.io/ Docs https://docs.pmd-code.org/latest/

    Rules https://pmd.github.io/pmd/ pmd_rules_java.html Ant task https://pmd.github.io/pmd/ pmd_userdocs_tools_ant.html Maven Plugin https://maven.apache.org/plugins/maven- pmd-plugin/ Gradle Plugin https://docs.gradle.org/current/userguide/ pmd_plugin.html URLs

  37. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 37 Config

  38. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 38 Output

  39. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 39 Suppressions

  40. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 40 Custom Rule Demo

  41. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 41 Custom Rule Demo

  42. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 42 Sonar

  43. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 43 Created 2006 Java versions Up to Java

    17 Focus Various Company SonarSource Languages Many

  44. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44 Types •Sonar Lint - IDE •Open source

    web app/ scanner •Commercial web app/ scanner •SaaS - https://sonarcloud.io

  45. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 45 Sample Rules

  46. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 46 Sample Report

  47. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47 Artifact URL Main page https://www.sonarsource.com/products/ sonarqube Docs

    https://docs.sonarqube.org/latest/ Rules https://rules.sonarsource.com/java/ Ant task https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- ant/ Maven Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- maven/ Gradle Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- gradle/ URLs

  48. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 48 Config

  49. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 49 Suppressions

  50. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 50 Custom Rule Demo

  51. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky + IDE Support 51

  52. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Book Giveaway 52