Source code analyzers
To analyze code, Sonar utilizes some of the most popular and proven tools available in the open source community. These tools pass through source code performing standard checks reviewing errors and possible bugs, each from their own perspective. The nature of the checks range from minor styling ones, for example the detection of unwanted trailing spaces, to more complex ones that easily promote to potential bugs, such as unchecked variables eligible to result in null references. Since version 2.1 Sonar provides its own rules engine too, based on Squid.
Sonar includes the following five analyzers:
Squid—http://docs.codehaus.org/display/SONAR/Documentation
Checkstyle—http://checkstyle.sourceforge.net/
PMD—http://pmd.sourceforge.net/
FindBugs—http://findbugs.sourceforge.net/
Cobertura—http://cobertura.sourceforge.net/
Clover—http://www.atlassian.com/software/clover/
Squid
Sonar's core analyzer Squid, works on Java dependencies and calculates object-oriented metrics. It implements the visitor pattern to visit dependencies between methods, fields, classes, and packages. Some of the metrics calculated are the following:
RFC—Response for Class
LCOM4—Lack of Cohesion Methods
DIT—Depth of Inheritance Tree
NOC—Number of Children
Checkstyle
Checkstyle ensures that all source code adheres to coding standards. Its main duty is to check code from an aesthetic perspective with emphasis on layout and styling. However, during its development more checks were added straying away from the initial coding style and standards concept. Now Checkstyle is capable of performing broader checks like identifying class design problems, duplication, and common bug patterns. Checkstlyle, and the rest of the tools we are going to examine here, can also run standalone.
Note
Bug patterns
A bug pattern is badly structured code that under certain circumstances can produce errors. These vulnerabilities may not always fail a test case but can potentially lead to memory outage, performance degradation, security breaches, and many other problems. Such common error-prone structures have been identified and standardized, so that they can be identified easily by source code analyzers.
PMD
According to its creator, a standard definition for the PMD acronym does not exist. In any case, the following are some interpretations taken straight away from the What does it mean section of the project 's SourceForge page:
Project Mess Detector
Programs of Mass Destruction
Project Meets Deadline
Head on to PMD's home page for a more comprehensive list.
PMD scans Java source code and reports on problems such as the following:
Possible bugs—
empty/try/catch/finally/switchstatementsDead code—unused local variables, parameters, and private methods
Suboptimal code—wasteful
String/StringBuffercodeComplex expressions—unnecessary
ifstatements,forloops instead ofwhileDuplicate code—copied/ pasted code
FindBugs
FindBugs performs static analysis to check source code and trace bugs and defects. It covers many different aspects such as vulnerabilities, malicious code, performance, and coding standards.
Cobertura and Clover
Cobertura, based on the jcoverage Java library, is used to calculate the percentage of code accessed by tests and identify which parts of your source code lack test coverage. Additionally, it calculates cyclomatic complexity for each class and the average cyclomatic complexity for each package.
Clover emphasizes more on test coverage, providing a rich user interface and can be easily used as a standalone tool, offering a complete quality testing solution.
