Person typing on computer
Java Static Analysis

Java Static Code Analysis

Powered by Parasoft Jtest, the Java developer test productivity solution

Deliver Secure and Reliable Software

Ensure Code Is Reliable

Validate code reliability and security and reduce vulnerabilities through compliance checks for CWE, OWASP, & more.

Identify Security Risks

Simplify the identification and mitigation of security vulnerabilities. Discover potential risks using static analysis and prioritize work to address issues.

Optimize Issue Remediation

Get recommendations for high-priority violations and vulnerabilities to fix and assign appropriate resources to them.

Static Code Analysis Tool for Developing Reliable Java Applications

Parasoft Jtest verifies Java code quality and checks compliance with security standards (OWASP, CWE, CERT, PCI DSS, and more) by applying a wide range of proprietary static analysis checkers (1000+) to go way beyond open source. Parasoft Jtest leverages Parasoft’s centralized reporting and analytics hub, Parasoft DTP, to provide deep insights on code quality and risk.

How Does It Work?

Parasoft Jtest provides a comprehensive set of static analysis checkers and testing techniques that can be used to verify compliance with security standards (OWASP, CWE, CERT, PCI DSS, and more) and custom coding standards (using built-in or user-defined custom rules), find runtime problems early and without executing code (such as null pointer exceptions, array out of bound), identify code duplication, and understand complexity and code structure (leveraging over 40 industry-accepted code metrics).

Jtest employs a state-of-the-art Java code parsing engine to static analyze and understand the code under test and find code defects indicated by rule violations. It ships with over 1000 different checkers that cover general best practices (Effective Java, The Java Programming Language) and industry coding and compliance standards, as well as specialized bug-finders (such as null pointer exception, resource leaks, deadlocks, division by zero, array out of bound, and more).

To help users understand which static analysis rules to use, Jtest organizes and associates metadata to the rules, providing:

  • Built-In Test Configurations: Pre-defined rule sets allow users to perform static analysis quickly and conveniently.
  • Rule Categories: Each rule belongs to a rule category (such as Optimization, Security, Exceptions, API) to helps users quickly understand how rules might benefit their testing priorities.
  • Severity Levels: Each rule is assigned with a severity level to help users better understand the potential impact of the rule violation.

Static code analysis can be performed in the IDE (Eclipse, IntelliJ, and VS Code), from the command line, or using build system plugins (Ant, Maven, Gradle) for automation and Continuous Integration scenarios. The results of the analysis can be accessed immediately (in the IDE, or with HTML/XML/PDF reports), integrated with CI systems like GitHub, GitLab, and Azure DevOps, or accessed by Parasoft DTP for post-processing, reporting, and advanced analytics. Jtest provides advanced capabilities for making static analysis a maintainable element of the development process, such as suppressing unwanted findings, prioritizing and assigning findings to developers, and much more.


To guard against software defects entering the codebase, Parasoft Jtest analyzes the parse tree within a file and looks for patterns that represent bad development practices. Jtest exposes dangerous paths through the codebase that could cause instabilities and security issues at runtime, without executing all those paths programmatically. By analyzing the execution paths through the code, Jtest’s static analysis can detect potential issues early in the development stage, such as null pointer exceptions, division by zero, array out of bound problems, and more.

To manage complexity, Jtest helps you understand code metrics. By helping you understand the structure/design of your codebase and measure the complexity of your codebase, Jtest helps you manage, set thresholds, and take actions, identifying potential maintenance nightmares.

Jtest identifies instances where code has been duplicated or where the code is similar enough that you might want to consolidate the implementation. This not only helps you identify where you might refactor the code to benefit the design, but also reduces the maintenance cycle associated with changes in the codebase.

Parasoft Jtest provides a set of built-in checkers for verifying compliance with standards like OWASP Top 10, OWASP API Security Top 10, OWASP-ASVS, CERT for Java, CWE-SANS Top 25, PCI Data Security Standard, and more. Leveraging coding standards enables users to build secure and reliable web/distributed applications and services.

Using Parasoft Jtest’s continuous quality mode in the IDE (Eclipse, IntelliJ, VS Code), Jtest automatically analyzes the code in the background (every time you press save) and alerts users when it detects defects. With this feature, users get immediate feedback to detect issues as early as possible.

Jtest’s customizable code analysis enables teams to define organization-specific guidelines and coding standards. With this flexibility, users can turn rules on and off (creating customized test configurations to only include rules that are relevant from the organization’s development perspective), modify existing rules (rules can be parameterized to better suit the development needs), and create entirely new custom rules without having to write any code, to extend (or replace) built-in rules.

To enforce the same development strategies across the organization, these custom test configurations and static analysis rules can be shared through source control for individual projects, or through a centralized infrastructure to help different teams follow the same coding standards.

Parasoft Jtest users can review static analysis results directly in the IDE (Eclipse, IntelliJ, VS Code), presented as actionable findings in the Finding and Finding Details views. Analysis results can also be collected and analyzed within Parasoft DTP for advanced reporting, deeper insights, ML prediction models for the prioritization and assignment of findings, and accessing trends and historical data, a key element in assessing quality-state of the project and providing data for external parties, such as auditors. Results are also available as HTML, PDF, and custom extension reports.

Benefit From the Parasoft Approach

An Integrated Solution for Java Quality

Instead of having to integrate with other tools and solutions, Parasoft Jtest provides it all, with unit testing, code coverage, and a powerful processing engine for analytics and reporting. Parasoft’s functional testing tools are also easily connected to Jtest’s code coverage engine for efficient test automation, providing users with everything they need to test their Java applications end to end.

Deep Insights From Smart Analytics to Rapidly Assess Risk

Unlike any other commercial or open-source tool, Parasoft provides a unique data gathering and intelligence engine that other products lack. The business intelligence of the current state of the product, combined with key indicators of risk, enables software teams to focus on key areas of their product. Without this ability, users have to acquire multiple third-party reporting products and integrate each individual tool.

Immediate Analysis Feedback Directly in the IDE

Leveraging Jtest’s unique capabilities in the IDE, developers can use the continuous quality mode to let Jtest do its thing in the background. Jtest will automatically analyze the code and alert users when it detects a defect so users can benefit from immediate feedback in their workflow.