Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2023-static-analysis.pdf

Jeanne Boyarsky
July 20, 2023
5

 2023-static-analysis.pdf

Jeanne Boyarsky

July 20, 2023
Tweet

Transcript

  1. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1
    Improving your Code with Static
    Analysis Tools
    Jeanne Boyarsky


    Thursday, July 20th 2023


    UberConf


    speakerdeck.com/boyarsky


    https://github.com/boyarsky/2023-uberconf-
    static-analysis


    View Slide

  2. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky
    Pause for a Commercial
    2
    Java certs: 8/11/17


    Book giveaway at end!

    View Slide

  3. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 3
    Intro

    View Slide

  4. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 4
    Identify errors
    in code without
    running it

    View Slide

  5. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5
    Brainstorm: what are some
    things static analysis can find?
    •Functionality defects


    •Anti patterns


    •Performance issues


    •Security problems


    •Coding standard violations

    View Slide

  6. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6
    Static


    Analysis
    SAST


    (Static Application
    Security Testing)
    Coding
    standards,
    functionality,
    etc
    Security
    modeling, etc
    Security
    static
    analysis

    View Slide

  7. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 7

    View Slide

  8. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 8
    Checkstyle

    View Slide

  9. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9
    Created 2001
    Java versions 10.X - Java 11-17


    9.X - Java 8
    Focus Coding standards
    Limits One file at a time
    Languages Java

    View Slide

  10. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 10
    Sample Rules

    View Slide

  11. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 11
    Sample Report

    View Slide

  12. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 12
    Sample Report

    View Slide

  13. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13
    Artifact URL
    Docs https://checkstyle.sourceforge.io/
    GitHub https://github.com/checkstyle/checkstyle/
    releases/
    Ant Task https://checkstyle.sourceforge.io/
    anttask.html
    Maven Plugin https://maven.apache.org/plugins/maven-
    checkstyle-plugin
    Gradle Plugin https://docs.gradle.org/current/userguide/
    checkstyle_plugin.html
    URLs

    View Slide

  14. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 14
    •Older tool


    •“Sun” and Google styles
    built in


    •One file at a time


    •Not as powerful as others
    Caveats

    View Slide

  15. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 15
    Config

    View Slide

  16. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 16
    Output

    View Slide

  17. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 17
    Suppressions
    Can also
    use xml
    based
    excludes

    View Slide

  18. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 18
    Custom Rule Demo

    View Slide

  19. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 19
    SpotBugs

    View Slide

  20. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20
    Created


    FindBugs


    SpotBugs
    2006


    2016
    Java versions Any?


    (old docs say 9
    but works with
    17)
    Focus Scanning
    bytecode
    Languages Java

    View Slide

  21. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 21
    FindBugs?

    View Slide

  22. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 22
    Sample Rules

    View Slide

  23. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 23
    Sample Report

    View Slide

  24. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24
    Artifact URL
    Main page https://spotbugs.github.io/
    Docs https://spotbugs.github.io/
    Rules https://spotbugs.readthedocs.io/en/latest/
    bugDescriptions.html
    Ant task https://spotbugs.readthedocs.io/en/
    stable/ant.html
    Maven Plugin https://spotbugs.github.io/spotbugs-
    maven-plugin/
    Gradle Plugin https://plugins.gradle.org/plugin/
    com.github.spotbugs
    URLs

    View Slide

  25. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25
    •Older tool


    •Support slow - deprecated
    gradle code for three
    versions


    •Rules can be finnicky


    •Report kludgy


    •Docs varying degrees of
    dated
    Caveats

    View Slide

  26. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 26
    Config

    View Slide

  27. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 27
    Output

    View Slide

  28. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 28
    Suppressions

    View Slide

  29. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29
    Custom Rule Demo
    Or bytecode directly if need to


    Object size = stack.getStackItem(0).getConstant();
    Object str = stack.getStackItem(1).getConstant();

    View Slide

  30. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 30
    Custom Rule Demo
    Couldn’t get Gradle
    to recognize it.
    Docs say to drop in
    plugin directory/
    Eclipse.

    View Slide

  31. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 31
    PMD

    View Slide

  32. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32
    Created 2002
    Java versions Up to Java 20
    Focus Coding issues
    Add ons Copy paste
    detection
    Languages Many

    View Slide

  33. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 33
    What does PMD


    stand for?
    •Nothing


    •Retrofitted


    Programming


    Mistake


    Detector

    View Slide

  34. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 34
    Sample Rules

    View Slide

  35. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 35
    Sample Report

    View Slide

  36. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36
    Artifact URL
    Main page https://pmd.github.io/
    Docs https://docs.pmd-code.org/latest/
    Rules https://pmd.github.io/pmd/
    pmd_rules_java.html
    Ant task https://pmd.github.io/pmd/
    pmd_userdocs_tools_ant.html
    Maven Plugin https://maven.apache.org/plugins/maven-
    pmd-plugin/
    Gradle Plugin https://docs.gradle.org/current/userguide/
    pmd_plugin.html
    URLs

    View Slide

  37. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 37
    Config

    View Slide

  38. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 38
    Output

    View Slide

  39. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 39
    Suppressions

    View Slide

  40. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 40
    Custom Rule Demo

    View Slide

  41. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 41
    Custom Rule Demo

    View Slide

  42. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 42
    Sonar

    View Slide

  43. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 43
    Created 2006
    Java versions Up to Java 17
    Focus Various
    Company SonarSource
    Languages Many

    View Slide

  44. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44
    Types
    •Sonar Lint - IDE


    •Open source web app/
    scanner


    •Commercial web app/
    scanner


    •SaaS - https://sonarcloud.io

    View Slide

  45. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 45
    Sample Rules

    View Slide

  46. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 46
    Sample Report

    View Slide

  47. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47
    Artifact URL
    Main page https://www.sonarsource.com/products/
    sonarqube
    Docs https://docs.sonarqube.org/latest/
    Rules https://rules.sonarsource.com/java/
    Ant task https://docs.sonarqube.org/9.7/analyzing-
    source-code/scanners/sonarscanner-for-
    ant/
    Maven Plugin https://docs.sonarqube.org/9.7/analyzing-
    source-code/scanners/sonarscanner-for-
    maven/
    Gradle Plugin https://docs.sonarqube.org/9.7/analyzing-
    source-code/scanners/sonarscanner-for-
    gradle/
    URLs

    View Slide

  48. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 48
    Config

    View Slide

  49. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 49
    Suppressions

    View Slide

  50. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 50
    Custom Rule Demo

    View Slide

  51. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky
    + IDE Support
    51

    View Slide

  52. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky
    Book Giveaway
    52

    View Slide