Transcript FindBugs
基于FindBugs的
在线JAVA检测系统
丁一、朱伟俊、胡畔
简介
• 提供一个在线java静态分析网站
• 以FindBugs与PMD为分析工具
• 对于用户提交的单个java文件或java项目进行分析,并反馈
检测出的bug报告
• 对检测得的bug信息进行记录(Simple)
• 站内外搜索引擎(undone)
Service
single file detect
user
statics
read report
project detect
download report
Process
Single File
FindBugs
source
Detect
Engine
Project
PMD
Report
Generator
Bug
Report
FindBugs ™
• FindBugs is an open source program created by William
Pugh which looks for bugs in Java code.
• It uses static analysis to identify hundreds of different
potential types of errors in Java programs.
• FindBugs operates on Java bytecode, rather than source
code.
• The software is distributed as a standalone GUI application. There are also plug-ins available
for Eclipse, Netbeans,[4] IntelliJ IDEA,[5][6][7] and Hudson[8].
fb-contrib™
• A FindBugs™ auxiliary detector plugin
• be used from the Findbugs™ Gui, Ant, or the eclipse plugin.
• // http://fb-contrib.sourceforge.net/
PMD Tool
• PMD is a static ruleset based Java source code analyzer that
identifies potential problems like:
• Possible bugs - Empty try/catch/finally/switch blocks.
• Dead code - Unused local variables, parameters and private
methods
Empty if/while statements
• Overcomplicated expressions - Unnecessary if statements, for loops
that could be while loops
• Suboptimal code - wasteful String/StringBuffer usage
• Classes with high Cyclomatic Complexity measurements.
• Duplicate code - Copied/pasted code can mean copied/pasted bugs,
and decreases maintainability.
• //While PMD doesn't officially stand for anything, it has several
unofficial names, the most appropriate probably
being Programming Mistake Detector.
• //Typically, PMD errors are not true errors, but rather inefficient
code, i.e. the application could still function properly even if they
were not corrected.
Other tools
• Open-source or Non-commercial products
• Checkstyle — besides some static code analysis, it can be used to show violations
of a configured coding standard
• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta
BCEL) from the University of Maryland.
• Hammurapi — (Free for non-commercial use only) versatile code review solution.
• PMD — a static ruleset based Java source code analyzer that identifies potential
problems.
• Sonar — a continuous inspection engine to manage the technical debt (unit tests,
complexity, duplication, design, comments, coding standards and potential
problems).
• Soot — a language manipulation and optimization framework consisting of
intermediate languages for Java.
• Squale — a platform to manage software quality (also available for other
languages, using commercial analysis tools though).
• Commercial products
• IntelliJ IDEA — IDE for Java that also provides static code analysis.
• LDRA Testbed — A software analysis and testing tool suite for Java.
• SonarJ — monitors the conformance of code to intended architecture, also
computes a wide range of software metrics.
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
移除
• 用户注册/登录模块
• 牵连功能:
• 分析工具个性化配置
• 用户独立存储区域
• 简单项目管理
• 优点:
• 对于所有用户,都能享受到快捷方便的分析服务
• 网站无须维护用户注册信息,个性化定制等内容
• 不再提供用户存储区域,可节约大量服务磁盘
• 缺点:
• 用户无法配置分析规则,只能使用通用配置
• 对于bug信息的汇总,用户无法看到自己的bug记录
新增
• 报告下载功能
• 优点:对于用户的大型项目,可能存在大量bug信息,为
方便用户查看,提供下载PDF格式报告功能。
新增
• 《项目配置指南》
• 提供对初次配置使用本项目用户的指南
修正
• JSP/servlet转发逻辑修正
• 原:uploadProject ->….-> createReport ;
• 现 uploadProject -> createReport
• 其中有用部分为createProject中创建pom.xml文件部分,现并入
uploadProject
• 报告文件中的路径由绝对路径 更改为相对路径
• BUG修正
• 1. 正确上传可执行单文件,无法得到编译
• 报错信息:command line parameter error
• 经过检查后发现,如class a {…},(有空格),程序错误的将项目
命名为a ,导致传入parameter 报错。
• 解决:调用trim方法,去首尾空格。
修正
• Bug修正2:
• 报错信息:source1.3中不支持泛型请使用 -source 5 或更高版本
以启用泛型 (From Apache Maven2)
• 此信息源自大项目检查。
• 解决方法 ,在maven2管理工具的POM.xml中引入source 5
Demo
Thanks All