2023-static-analysis.pdf

Slide 1

Slide 1 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1 Improving your Code with Static Analysis Tools Jeanne Boyarsky Thursday, July 20th 2023 UberConf speakerdeck.com/boyarsky https://github.com/boyarsky/2023-uberconf- static-analysis

Slide 2

Slide 2 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky Pause for a Commercial 2 Java certs: 8/11/17 Book giveaway at end!

Slide 3

Slide 3 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 3 Intro

Slide 4

Slide 4 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 4 Identify errors in code without running it

Slide 5

Slide 5 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5 Brainstorm: what are some things static analysis can find? •Functionality defects •Anti patterns •Performance issues •Security problems •Coding standard violations

Slide 6

Slide 6 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6 Static Analysis SAST (Static Application Security Testing) Coding standards, functionality, etc Security modeling, etc Security static analysis

Slide 7

Slide 7 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 7

Slide 8

Slide 8 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 8 Checkstyle

Slide 9

Slide 9 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9 Created 2001 Java versions 10.X - Java 11-17 9.X - Java 8 Focus Coding standards Limits One file at a time Languages Java

Slide 10

Slide 10 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 10 Sample Rules

Slide 11

Slide 11 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 11 Sample Report

Slide 12

Slide 12 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 12 Sample Report

Slide 13

Slide 13 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13 Artifact URL Docs https://checkstyle.sourceforge.io/ GitHub https://github.com/checkstyle/checkstyle/ releases/ Ant Task https://checkstyle.sourceforge.io/ anttask.html Maven Plugin https://maven.apache.org/plugins/maven- checkstyle-plugin Gradle Plugin https://docs.gradle.org/current/userguide/ checkstyle_plugin.html URLs

Slide 14

Slide 14 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 14 •Older tool •“Sun” and Google styles built in •One file at a time •Not as powerful as others Caveats

Slide 15

Slide 15 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 15 Config

Slide 16

Slide 16 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 16 Output

Slide 17

Slide 17 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 17 Suppressions Can also use xml based excludes

Slide 18

Slide 18 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 18 Custom Rule Demo

Slide 19

Slide 19 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 19 SpotBugs

Slide 20

Slide 20 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20 Created FindBugs SpotBugs 2006 2016 Java versions Any? (old docs say 9 but works with 17) Focus Scanning bytecode Languages Java

Slide 21

Slide 21 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 21 FindBugs?

Slide 22

Slide 22 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 22 Sample Rules

Slide 23

Slide 23 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 23 Sample Report

Slide 24

Slide 24 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24 Artifact URL Main page https://spotbugs.github.io/ Docs https://spotbugs.github.io/ Rules https://spotbugs.readthedocs.io/en/latest/ bugDescriptions.html Ant task https://spotbugs.readthedocs.io/en/ stable/ant.html Maven Plugin https://spotbugs.github.io/spotbugs- maven-plugin/ Gradle Plugin https://plugins.gradle.org/plugin/ com.github.spotbugs URLs

Slide 25

Slide 25 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25 •Older tool •Support slow - deprecated gradle code for three versions •Rules can be finnicky •Report kludgy •Docs varying degrees of dated Caveats

Slide 26

Slide 26 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 26 Config

Slide 27

Slide 27 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 27 Output

Slide 28

Slide 28 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 28 Suppressions

Slide 29

Slide 29 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29 Custom Rule Demo Or bytecode directly if need to Object size = stack.getStackItem(0).getConstant(); Object str = stack.getStackItem(1).getConstant();

Slide 30

Slide 30 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 30 Custom Rule Demo Couldn’t get Gradle to recognize it. Docs say to drop in plugin directory/ Eclipse.

Slide 31

Slide 31 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 31 PMD

Slide 32

Slide 32 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32 Created 2002 Java versions Up to Java 20 Focus Coding issues Add ons Copy paste detection Languages Many

Slide 33

Slide 33 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 33 What does PMD stand for? •Nothing •Retrofitted Programming Mistake Detector

Slide 34

Slide 34 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 34 Sample Rules

Slide 35

Slide 35 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 35 Sample Report

Slide 36

Slide 36 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36 Artifact URL Main page https://pmd.github.io/ Docs https://docs.pmd-code.org/latest/ Rules https://pmd.github.io/pmd/ pmd_rules_java.html Ant task https://pmd.github.io/pmd/ pmd_userdocs_tools_ant.html Maven Plugin https://maven.apache.org/plugins/maven- pmd-plugin/ Gradle Plugin https://docs.gradle.org/current/userguide/ pmd_plugin.html URLs

Slide 37

Slide 37 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 37 Config

Slide 38

Slide 38 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 38 Output

Slide 39

Slide 39 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 39 Suppressions

Slide 40

Slide 40 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 40 Custom Rule Demo

Slide 41

Slide 41 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 41 Custom Rule Demo

Slide 42

Slide 42 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 42 Sonar

Slide 43

Slide 43 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 43 Created 2006 Java versions Up to Java 17 Focus Various Company SonarSource Languages Many

Slide 44

Slide 44 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44 Types •Sonar Lint - IDE •Open source web app/ scanner •Commercial web app/ scanner •SaaS - https://sonarcloud.io

Slide 45

Slide 45 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 45 Sample Rules

Slide 46

Slide 46 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 46 Sample Report

Slide 47

Slide 47 text

twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47 Artifact URL Main page https://www.sonarsource.com/products/ sonarqube Docs https://docs.sonarqube.org/latest/ Rules https://rules.sonarsource.com/java/ Ant task https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- ant/ Maven Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- maven/ Gradle Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- gradle/ URLs