Java Static Code Analysis

Powered by Parasoft Jtest, the enterprise development testing solution for Java

Try Parasoft Jtest

Static Code Analysis Tool for Developing Reliable Java Applications

Parasoft Jtest verifies Java code quality and checks compliance with security standards (OWASP, CWE, CERT, PCI, etc.) by applying a wide range of static analysis checkers (1000+) and using the most comprehensive set of static code analyzers to go way beyond open source. Parasoft Jtest leverages Parasoft’s centralized reporting and analytics hub, with its Process Intelligence Engine to provide deep insights on code quality and risk.

Java Static Analysis

How does it work?

Parasoft Jtest provides a comprehensive set of static analysis checkers and testing techniques that can be used to verify compliance with security standards (OWASP, CWE, CERT, PCI, etc.) and custom coding standards (using built-in or user-defined custom rules), find runtime problems early and without executing code (e.g. null pointer exceptions, array out of bound), identify code duplication, and understand complexity and code structure (leveraging 40+ industry-accepted code metrics).

Jtest employs a state-of-the-art Java code parsing engine to analyze and understand the code under test and find code defects indicated by rule violations. It ships with over 1000 different checkers that cover general best practices (Effective Java, The Java Programming Language) and industry standards (OWASP, CWE, CERT, PCI, etc.), as well as specialized bug-finders (such as null pointer exception, resource leaks, deadlocks, division by zero, array out of bound and more).

To help users understand which static analysis rules to use, Jtest organizes and associates metadata to the rules, providing:

  • Built-In Test Configurations: Pre-defined rule sets allow users to perform static analysis quickly and conveniently.
  • Rule Categories: Each rule belongs to a rule category (i.e. Optimization, Security, Exceptions, API ) to helps users quickly understand how rules might benefit their testing priorities.
  • Severity Levels: Each rule is assigned with a severity level to help users better understand the potential impact of the rule violation.

Static code analysis can be performed in the IDE (Eclipse, IntelliJ, NetBeans), from the command line, or using build system plugins (Ant, Maven, Gradle) for automation and Continuous Integration scenarios. The results of the analysis can be accessed immediately (in the IDE, or with HTML/XML/PDF reports) or accessed by Parasoft’s Process Intelligence Engine for post-processing, reporting, and advanced analytics. Jtest provides advanced capabilities for making static analysis a maintainable element of the development process, such as suppressing unwanted findings, prioritizing and assigning findings to developers, and much more.

Try Parasoft Jtest

Features

To guard against software defects entering the codebase, Parasoft Jtest analyzes the parse tree within a file and looks for patterns that represent bad development practices. Jtest exposes dangerous paths through the codebase that could cause instabilities and security issues at runtime, without executing all of those paths programmatically. By analyzing the execution paths through the code, Jtest’s static analysis can detect potential issues early in the development stage, such as null pointer exceptions, division by zero, array out of bound problems, and more.

To manage complexity, Jtest helps you understand code metrics. By helping you understand the structure/design of your codebase and measure the complexity of your codebase, Jtest helps you manage, set thresholds, and take actions, identifying potential maintenance nightmares.

Jtest identifies instances where code has been duplicated or where the code is similar enough that you might want to consolidate the implementation. This not only helps you identify where you might refactor the code to benefit the design, but also reduces the maintenance cycle associated with changes in the codebase.

Parasoft Jtest provides a set of built-in checkers for verifying compliance with standards like OWASP Top 10 2017, CERT for Java, CWE-SANS Top 25 2011, PCI Data Security Standard 3.2, and more. Leveraging coding standards enables users to build secure and reliable web/distributed applications and services.

Using Parasoft Jtest’s continuous quality mode in the IDE (Eclipse, IntelliJ, NetBeans), Jtest automatically analyzes the code in the background (every time you press save) and alerts users when it detects defects. With this feature, users get immediate feedback to detect issues as early as possible.

Jtest’s customizable code analysis enables teams to define organization-specific guidelines and coding standards. With this flexibility, users can turn rules on and off (creating customized test configurations to only include rules that are relevant from the organization's development perspective), modify existing rules (rules can be parameterized to better suit the development needs), and create entirely new custom rules without having to write any code, to extend (or replace) built-in rules.

To enforce the same development strategies across the organization, these custom test configurations and static analysis rules can be shared through source control for individual projects, or through a centralized infrastructure to help different teams follow the same coding standards.

Parasoft Jtest users can review static analysis results directly in the IDE (Eclipse, IntelliJ, NetBeans), presented as actionable findings in the Finding and Finding Details views. Analysis results can also be collected and analyzed within Parasoft’s Process Intelligence Engine for advanced reporting, deeper insights, and accessing trends and historical data, a key element in assessing quality-state of the project and providing data for external parties, such as auditors. Results are also available as HTML, PDF, and custom extension reports.

Benefit from the Parasoft Approach

Want to learn more?

Parasoft Jtest integrates with a wide variety of software, tools, and frameworks,
so you can easily adopt and scale within your existing development environment.