Methods & Tools Software Development Magazine

Software Development Magazine - Programming, Software Testing, Project Management, Jobs

Findbugs - Static Code Analysis of Java

Markus Sprunck, Software Engineering Candies, http://www.sw-engineering-candies.com/

Findbugs is an open source tool for static code analysis of Java programs. It scans byte code for so called bug pattern to find defects and/or suspicious code. Although Findbugs needs the compiled class files it is not necessary to execute the code for the analysis. Working with Findbugs helps to prevent from shipping avoidable issues. It is also an excellent motivation for improving the skills of development teams to write better code in the first place.

Web Site: http://Findbugs.sourceforge.net/
Version Tested: Findbugs 2.0.1
System requirements: Java 1.5 or higher
License & Pricing: Open Source (Lesser GNU Public License)
Support: SourceForge Project (http://sourceforge.net/projects/Findbugs/)

What can I do with Findbugs?

Findbugs scans for possible bugs in Java software. Each finding is reported as a warning, but not all of these warnings are necessarily defects, e.g. warnings referring to possible performance issues. The terms bug or bug pattern are used in a misleading way by Findbugs. A better way would be to talk just about warnings. In the following article, the term warning will be used. All warnings are classified in four ranks: (i) scariest, (ii) scary, (iii) troubling and (iv) of concern. This is a hint to the developer about the possible impact/severity of the warnings. The current version reports 400 warnings in the nine categories:

Category

Number

Samples

Correctness

142

Illegal format string

Null value is guaranteed to be dereferenced

Call to equals() comparing unrelated class and interface

Bad practice

84

Confusing method names

Method may fail to close stream

Comparison of String parameter using == or !=

Dodgy code

71

Useless control flow

Integer remainder modulo 1

Redundant null check of value known to be null

Multithreaded Correctness

45

A thread was created using the default empty run method

Class's writeObject() method is synchronized but nothing else is

Performance

27

Method concatenates strings using + in a loop

Method invokes inefficient Boolean constructor

Malicious Code Vulnerability

15

Finalizer should be protected, not public

Field isn't final and can't be protected from malicious code

Security

11

Hardcoded constant database password

A prepared statement is generated from a variable String

Experimental

3

Method may fail to clean up stream or resource

Internationalization

2

Consider using Locale parameterized version of invoked method

Table 1: Selected Findbugs Warnings by Category

The authors of Findbugs report an average rate of false warnings of less than 50%. This is a fairly good value, but in practice even not all the true warnings will be fixed by developers due to different reasons. Because of this, it is necessary to deactivate some warnings.

Findbugs provides the possibility to uncomment wrong and/or unwanted warnings. There are two ways to remove warnings (i) the entire warning is switched off for all classes in the project settings or (ii) single warnings can be disabled for certain piece of code (e.g. with the annotation @edu.umd.cs.Findbugs.annotations.SuppressWarnings).

It is possible to develop Findbugs custom detectors (own rules) and/or integrate third party detectors.

What is new in version 2.0?

  • Findbugs version 2.0 supports 24 new warnings
  • Detection of problems identified by JSR-305 annotations is now possible
  • A new attribute bug rank has been introduced. This bug rank is a number between 1 and 20 and grouped in four values:
  • Scariest (1-4),
  • Scary (5-9),
  • Troubling (10-14) and
  • Of Concern (rank 15-20)
  • The term priority has been renamed to confidence to avoid misconceptions with the bug rank
  • Simplifications of the command line interface
  • Support for the Google Core Libraries for Java (Guava)
  • Easier to define Findbugs plug-in
  • some other improvements

Integrations and User Interfaces of Findbugs

Findbugs can be executed in many different ways from command line, builds or in IDEs. Available integrations are:

Installation of Eclipse Plug-In

The Eclipse plug-in work with Eclipse 3.x releases from 3.3. The plug-in runs under Java 1.5 or newer.

For Eclipse 4.2 (Juno) the next steps install the plug-in:

  1. In Eclipse, click on Help | Install New Software and press Add button.
  2. You should see Findbugs in the list. Select the entry and press Next button.
  3. You should see the Install Details without errors and press Next button.
  4. Select the "I accept the terms of the license agreement" option and click Finish button.
  5. The plug-in is not digitally signed. Go ahead and install it anyway. (press OK button)
  6. Click Yes to make Eclipse restart itself.

Working with Eclipse Plug-in

Working with Findbugs in Eclipse is easy and strait forward. To run the analysis, select your Java project or class. In the context menu you find then an entry Find Bugs (see Figure 1).

Figure 1: Start Findbugs with context menu.

After the analysis is ready you may change to the Findbugs Perspective (see Figure 2) of Eclipse.

Figure 2: Findbugs Perspective.

The Findbugs Eclipse Plug-In offers various opportunities for customization of how to show and filter warnings. (see Figure 3). It is worth to spend some time to see the differences with changed parameters.

Figure 3 Customization of Findbugs in the Preferences dialog.

There is also a possibility to create file filters. This can be helpful to exclude parts of the project like the test code for instance.

Documentation

The documentation of FindBugs is actually a field for improvement. The online documentation is partly outdated and/or could go more in detail. The descriptions of the warnings in the online documentation are concise and well written. Unfortunately, some parts of the description are not easy to understand, even for experienced Java developers.

Conclusion

The new version of Findbugs has again a lot of improvements and is more powerful than ever. The only point of criticism is the documentation that is not up-to-date and lacks examples.

Findbugs is a good choice to start with static code analysis in your software project in the first place. With Findbugs you can detect the "low hanging fruits" of the code and this helps to convince the developers to accept and use static code analysis.

Other tools like PMD or Checkstyle focus more on anti-pattern, coding style and/or coding conventions. If you start with static code analysis, it will be important to convince developers (and management) about the added value the tool. Here it is easier to discuss about a warning like "Null value is guaranteed to be dereferenced" than a sometimes esoteric discussion about naming convention and/or style.

Further Reading

Tutorial - Findbugs Warnings By Sample (Basics)

Tutorial - Findbugs Warnings By Sample (Database & Security)

Tutorial - Findbugs Warnings By Sample (Exception Handling & Control Flow)

Tutorial - Findbugs Warnings By Sample (@Nonnull and @CheckReturnValue of JSR-305)


More Software Testing Resources


Click here to view the complete list of tools reviews

This article was originally published in the Fall 2012 issue of Methods & Tools