s
http://sonar.oschina.net/
在使用sonar服务前,请先登录git.oschina.net(开源中国代码托管网站,以下简称git),请依据如下步骤操作
1.选择自己的项目XXX,进入"质量分析"菜单,点击"开始分析XXX代码",XXX项目进入sonar代码分析流程
2.当代码分析流程结束(大约1到2分钟),git会提示您项目的代码分析结果
3.若分析失败会给出提示信息,并提示失败原因
4.若分析成功, git将会显示sonar平台代码质量分析概要,点击相关概要链接,可查看具体分析详情
静态检查工具CheckStyle、PMD、FindBugs
重复代码检查PMD-CPD、Simian
圈复杂度分析工具SourceMonitor、JavaNCSS
代码设计质量分析JDepend
常用Java代码质量检测评估工具
http://zihai367.iteye.com/blog/2305793
1. PMD from http://pmd.sourceforge.net/
PMD能够扫描Java 源代码,查找类似以下的潜在问题:
可能的bug——try/catch/finally/switch语句中返回空值。
死代码——未使用的局部变量、参数、私有方法。
不理想的代码——使用String/StringBuffer。
过于复杂的表达式——没有必要使用if语句、while循环可以代替for循环。
重复代码——复制/粘贴的代码引发的bug。
PMD集成了JDeveloper, Eclipse, JEdit, JBuilder, BlueJ, CodeGuide, NetBeans/Sun Java Studio Enterprise/Creator, IntelliJ IDEA, TextPad, Maven, Ant, Gel, JCreator, 以及 Emacs。
2. FindBug from http://findbugs.sourceforge.net
FindBug是一个使用静态方法来查找Java代码漏洞的程序。
3.Clover from http://www.cenqua.com/clover/
这个插件允许你在不离开IDE的环境条件下来衡量和检测覆盖效果。该插件通过使用Apache Ant、Maven来无缝集成其它项目,可以通过命令行界面和API系统轻松集成到传统的构建系统中。
该插件的特性:
支持快速、准确、可配置的方法,语句等。
支持丰富的报告格式:HTML、PDF、XML、以及Swing GUI。
精确控制源代码级别的过滤。
支持代码覆盖以及其它指标的图表。
完全兼容JUnit 3.x & 4.x, TestNG, JTiger以及其它的测试框架。
4. Macker from http://innig.net/macker/
Macker是一个适用于Java开发人员用来检查架构规则的工具。你可以定制一个适合特定项目架构的规则文件,也可以为您的代码撰写通用的规则说明。
5. EMMA from http://emma.sourceforge.net/
EMMA支持的覆盖类型:方法、类等。
输出报告的格式为:文本、HTML、XML。
输出报告可以高亮显示某些项目。
EMMA不需要访问源代码,可以在输入类中减少调试的信息。
6. XRadar from http://xradar.sourceforge.net/
XRadar是一个开放的、为代码生成可扩展报告的工具。目前支持基于Java的所有系统。批量处理的框架可以用来生成HTML/SVG系统的报告。Xradar可以估量代码的大小、复杂性以及代码的重复性、依赖性等。
7. Hammurapi from http://www.hammurapi.com
Hammurapi是一款执行Java程序代码的自动检测工具。提供的实例中含有282条Hammurapi代码规则,提供了120多个Java类,这款所谓的检测工具,可以从三个级别来检测代码是否违背了编码标准。
8. Relief from http://www.workingfrog.org/
Relif是一款设计工具,为Java项目提供了崭新的面貌。我们可以充分发挥自己的能力来处理真实的实例——通过检测大小、形状、关系等来简化处理过程。
9. Hudson from http://hudson-ci.org/
Hudson 是一个持续集成工具,使用Java编写,运行在servlet容器中,比如Apache Tomcat或者或GlassFish应用服务器。它支持SCM工具,包括CVS、Subversion、Git和ClearCase。它可以执行Apache Ant、基于Apache Maven的项目、以及任意的shell脚本和 Windows批处理命令。
10. Cobertura fromhttp://cobertura.sourceforge.net/
Cobertura是一个免费的基于jcoverage的Java工具,用于计算代码被测试访问的百分比,它可以被用来确定Java程序中的缺少部分的测试覆盖率。
11. SonarSource from http://www.sonarsource.org/
Sonar是一个管理代码质量的开放平台。因此,它涵盖了代码质量的7个方面:架构与设计、重复、单元测试、复杂性、潜在错误、编码规则、评论。
英文原文:http://java.dzone.com/articles/java-tools-source-code
Java代码质量检测评估工具
“五大” 代码分析领域:
* 编码风格
* 冗余代码
* 代码覆盖率
* 依赖项分析
* 复杂度监控
一下列举了一些目前比较流行的工具。网址后面列出了其PR值,可以反映此工具的流行度。
1、编码风格
CheckStyle
Home page: http://checkstyle.sourceforge.net/ (6)
对应的eclipse插件有多个,其中eclipsecs最常用
Home page: http://eclipse-cs.sourceforge.net/ (6)
eclipse插件URL:http://eclipse-cs.sf.net/update/
2、冗余代码
Simian http://www.redhillconsulting.com.au/products/simian/ (5)
PMD 的 CPD http://pmd.sourceforge.net/cpd.html (5)
3、代码覆盖率
EMMA http://emma.sourceforge.net/ (6)
Cobertura http://cobertura.sourceforge.net/ (6)
EclEmma http://update.eclemma.org/ (5)
Coverlipse http://coverlipse.sourceforge.net/ (3)
4、依赖项分析
JDepend http://clarkware.com/software/JDepend.html (6)
5、复杂度监控
Metrics http://metrics.sourceforge.net/ (4)
具有以上两项或两项以上的综合工具(也称为静态分析工具):
1、PMD
Home page: http://pmd.sourceforge.net/ (6)
eclipse插件URL:http://pmd.sourceforge.net/eclipse
2、FindBugs http://findbugs.sourceforge.net/ (6)
eclipse插件URL:http://findbugs.cs.umd.edu/eclipse
FindBugs 检查程序生成的class文件,即分析字节码
PMD 检查源码,分析源代码
3、Jtest http://www.parasoft.com/jtest
4、Jlint http://artho.com/jlint/ (5)
5、Lint4j http://www.jutils.com/ (4)
http://www.oschina.net/p/sonar/
简介
转自oschina的介绍(http://www.oschina.net/p/sonar/)
Sonar (SonarQube)是一个开源平台,用于管理源代码的质量。Sonar 不只是一个质量数据报告工具,更是代码质量管理平台。支持的语言包括:Java、PHP、C#、C、Cobol、PL/SQL、Flex 等。
主要特点:
· 代码覆盖:通过单元测试,将会显示哪行代码被选中
· 改善编码规则
· 搜寻编码规则:按照名字,插件,激活级别和类别进行查询
· 项目搜寻:按照项目的名字进行查询
· 对比数据:比较同一张表中的任何测量的趋势
架构图:
下载与安装
下载地址:http://www.sonarqube.org/downloads/
我下载的是:sonar-3.7.3.zip
解压(D:\install\sonar-3.7.3)
进入解压缩目录,修改conf/sonar.properties文件,配置数据库连接
- ......
- # Permissions to create tables and indexes must be granted to JDBC user.
- # The schema must be created first.
- #sonar.jdbc.username: sonar
- #sonar.jdbc.password: sonar
- .......
- #----- MySQL 5.x
- # Comment the embedded database and uncomment the following line to use MySQL
- sonar.jdbc.url:jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true
- sonar.jdbc.username: root
- sonar.jdbc.password: 123
- ......
灰色背景的是新添加的,因为我使用的数据库是mysql
在bin(D:\install\sonar-3.7.3\bin)目录下有各种操作系统的可执行文件,我本地的操作系统是XP,所以进入D:\install\sonar-3.7.3\bin\windows-x86-32执行StartSonar.bat即可完成启动。
如果能访问说明成功了
配置maven
修改maven的配置文件E:\maven\apache-maven-3.1.1\conf\settings.xml,在profiles下添加以下代码
- <profile>
- <id>sonar</id>
- <activation>
- <activeByDefault>true</activeByDefault>
- </activation>
- <properties>
- <sonar.jdbc.url>jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8</sonar.jdbc.url>
- <sonar.jdbc.driver>com.mysql.jdbc.Driver</sonar.jdbc.driver>
- <sonar.jdbc.username>root</sonar.jdbc.username>
- <sonar.jdbc.password>123</sonar.jdbc.password>
- <sonar.host.url>http://localhost:9000</sonar.host.url>
- </properties>
- </profile>
在项目里加下以下插件:
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>sonar-maven-plugin</artifactId>
- <version>2.2</version>
- </plugin>
运行sonar测试
| E:\git\656463>cd 656463-cms
E:\git\656463\656463-cms>mvn sonar:sonar |
好了,直接访问 http://localhost:9000/即可看到测试结果了
Sonar 主要還是透過maven的一些plugins像 PMD , CPD , findbugs , checkstyle , cobertura(coverage ) ,
http://pengwei841221.iteye.com/blog/940428
Sonar是一个开源平台,用于管理Java源代码的质量。从 Sonar 1.6 版本开始,Sonar从一个质量数据报告工具,转变成为现在的代码质量管理平台。
Sonar 主要還是透過maven的一些plugins像 PMD , CPD , findbugs , checkstyle , cobertura(coverage ) ,JavaNCSS ,… 來對java程式碼做靜態分析(static analysis),然後用比較美觀的方式呈現將各種報表整合在一起。
安装前提:
系统必须支持Java和Maven
数据库支持:
默认使用自带的Derby数据库
Mysql
Oracle
MS SqlServer
PostgreSQL
Sonar处理步骤:
1、mvn sonar:sonar 把代码注入到Sonar中进行分析处理,并将处理结果以XML的形式插入到DB中
2、通过浏览器访问,显示分析结果
3、持续运行Maven构建,会迭代显示分析结果
一分钟安装教程:
1、下载并解压
2、在Windows上安装
- bin/windows-x86-32StartSonar.bat
3、 其它系统安装
- bin/[OS]/sonar.sh console
4、Maven工程中运行
- mvn clean install sonar:sonar
5、浏览器打开 http://localhost:9000
6、进入后台,admin/admin
5步骤安装:
第一步,创建数据库
Apache Derby 是Sonar默认安装的数据库,并且不需要你安装。它能很好的用于Sonar的演示,但是在实际运用中我推荐你使用性能更好更强大的数据库。Sonar对 如下数据库提供支持:MySQL 5.x, Oracle 10g XE, Postgresql 和MS SqlServer 2005。
第一件事就是为Sonar创建一个数据库。表和索引会在Sonar激活后自动创建。 同时要给Sonar用户能够在数据库表中创建、禁止和更新对象的权限。
第二步,安装服务器
第三步,配置数据库
如果你不是使用默认的数据库,那么你可以编辑conf/sonar.properties配置数据库访问权限。注释derby的配置并复制一份自定义来修改,下面是Sonar的数据库配置模板:
- sonar.jdbc.url : 数据库URL
- sonar.jdbc.driver : 驱动类
- sonar.jdbc.user : 用户名 默认sonar
- sonar.jdbc.password : 密码 默认sonar
Mysql示例:
- #sonar.jdbc.url: jdbc:derby://localhost:1527/sonar;create=true
- #sonar.jdbc.driver: org.apache.derby.jdbc.ClientDriver
- #sonar.jdbc.defaultTransactionIsolation: 1
- #sonar.jdbc.validationQuery: values(1)
- sonar.jdbc.url: jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8
- sonar.jdbc.driver: com.mysql.jdbc.Driver
- sonar.jdbc.validationQuery: select 1
如果是Oracle,你必须手动复制JDBC驱动类到/extensions/jdbc-driver/oracle/目录下。其它支持的数据库都已提供了驱动。
第四步,启动Sonar Server
方式一-单独启动
Sonar默认的端口是“9000”,默认的上下文路径是“/”,默认的网络接口是:“0.0.0.0”。一旦激活,Sonar服务器就可以使用http://localhost:9000 。这些参数都可以在conf/sonar.properties修改。下面提供一个http://localhost:80/sonar 的示例:
- sonar.web.host : 192.0.0.1
- sonar.web.port: 80
- sonar.web.context: /sonar
可以通过如下脚本启动Sonar服务器:
- linux/mac : bin/[YOUR PLATEFORM]/sonar.sh start
- OR
- windows : bin/windows-x86-32/StartSonar.bat
同样你可以启动bin/windows-x86-32/InstallNTService.bat把它注册为一个Window服务 ,然后再启动bin/windows-x86-32/StartSonar.bat
方式二-部署到Tomcat
打包步骤如下:
编辑conf/sonar.properties还原成标准格式(就是不修改端口之类)。确保部署到应用服务器时conf/wrapper.conf未被使用过。
在war/目录下执行build-war.sh脚本(Windows下执行build-war.bat)。
部署war/sonar.war到应用服务器。
通过http://loaclhost:8080/sonar 访问,继续安装步骤。
为了避免内存溢出,增加内存堆栈的大小。在Tomcat启动前设置CATALINA_OPTS环境变量:
- CATALINA_OPTS=”-Xms1024m -Xmx1024m -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true -XX:MaxPermSize=256m”
第五步:配置到Maven中
因为Sonar是通过Maven2 插件来分析源代码并把结果注入到数据库的。这就是为什么我们必须在Maven的配置里设置数据库的属性。编辑位于$MAVEN_HOME/conf或者 ~/.m2下的settings.xml文件,然后在添加step 3中的参数。
如果数据库和服务器不在同一台主机,你还必须通过’sonar.host.url’指定服务器地址。
- <settings>
- <profiles>
- <profile>
- <id>sonar</id>
- <activation>
- <activeByDefault>true</activeByDefault>
- </activation>
- <properties>
- <!– mysql –>
- <sonar.jdbc.url>
- jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8
- </sonar.jdbc.url>
- <sonar.jdbc.driver>com.mysql.jdbc.Driver</sonar.jdbc.driver>
- <sonar.jdbc.username>sonar</sonar.jdbc.username>
- <sonar.jdbc.password>sonar</sonar.jdbc.password>
- <!– remote host –>
- <sonar.host.url>http://myserver:1234</sonar.host.url>
- </properties>
- </profile>
- </profiles>
- </settings>
注意: <sonar.host.url>属性不能以”/”结尾。否则,Maven Sonar插件将报找不到驱动类的错误。
同样,为了避免内存溢出,推荐增加内存堆栈的大小。设置MAVEN_OPTS环境变量:
- export MAVEN_OPTS=”-Xmx512m -XX:MaxPermSize=256m”
集团级项目管理关键指标评价办法V1.0
http://10.27.100.165:9000/coding_rules#languages=java
http://dl.iteye.com/topics/download/0214b88a-ec87-3336-abbc-87954aeaa21f
业务验收50
时间管理30
质量管理20
资源管理
项目抽查
项目质量管理:主要聚焦于项目所涉及的软件系统过程质量和最终质量。
质量管理得分=代码千行缺陷率得分+代码sonar检查得分。
(a)代码千行缺陷率(5分),定义为项目测试出的bug总数除以项目涉及系统有效代码行数。千分之三为满分5分,每升高千分之一扣0.5分。计算公式为(100-(千行缺陷率-0.003)×10000)×0.05,最低0分,最高5分。此项数据统计由各中心测试部出具。
(b)代码sonar检查(15分),由公司的sonar网站检查结果进行打分,以CTO办公室出具的静态检查规则为评分标准,静态检查规则详见附件1。每发现1个阻断问题扣2分,每发现1个严重问题扣1分,最低0分,最高15分。由各中心技术总监提供得分数据,CTO办公室对项目的规范得分情况复核。
http://10.27.100.165:9000/coding_rules#severities=CRITICAL|languages=java%2Cjs%2Cnone%2Cweb|s=createdAt|asc=false
| 问题描述 | 严重度 | 整改建议 |
| Execution of the Garbage Collector should be triggered only by the JVM | 严重 | 立即修改 |
| Thread.run() and Runnable.run() should not be called directly | 严重 | 立即修改 |
| The Array.equals(Object obj) method should never be used | 严重 | 立即修改 |
| "switch" statements should not contain non-case labels | 严重 | 立即修改 |
| "equals(Object obj)" should be overridden along with the "compareTo(T obj)" method | 严重 | 立即修改 |
| The Object.finalize() method should never be called | 严重 | 立即修改 |
| Switch cases should end with an unconditional break statement | 严重 | 可忽略 |
| Methods should not be named "hashcode" | 严重 | 可忽略 |
| Strings should be compared using equals() | 严重 | 可忽略 |
| Methods named "equals" should override Object.equals(Object) | 严重 | 立即修改 |
| The Object.finalize() method should never be overriden | 严重 | 立即修改 |
| Annotation repetitions should not be wrapped | 严重 | 可忽略 |
| "object == null" should be used instead of "object.equals(null)" | 严重 | 立即修改 |
| Conditions in related "if/else if" statements should not be duplicated | 严重 | 立即修改 |
| System.exit(...) and Runtime.getRuntime().exit(...) should not be called | 严重 | 可忽略 |
| Throwable.printStackTrace(...) should never be called | 严重 | 立即修改 |
| "autocomplete" should be set to "off" on input elements of type "password" | 严重 | 立即修改 |
| Javascript scriptlets should not have too many lines of code | 严重 | 无需修改 |
| Deprecated JSP scriptlets should not be used | 严重 | 立即修改 |
| Illegal TagLibs | 严重 | 立即修改 |
| Dynamic Jsp Include | 严重 | 可忽略 |
| Correctness - Overwritten increment | 严重 | 可忽略 |
| Correctness - Uncallable method defined in anonymous class | 严重 | 立即修改 |
| Dodgy - Immediate dereference of the result of readLine() | 严重 | 立即修改 |
| Malicious code vulnerability - Public static method may expose internal representation by returning array | 严重 | 立即修改 |
| Correctness - Call to equals() comparing different types | 严重 | 可忽略 |
| Dodgy - Potentially dangerous use of non-short-circuit logic | 严重 | 可忽略 |
| Dodgy - instanceof will always return true | 严重 | 立即修改 |
| Multithreaded correctness - Synchronization performed on java.util.concurrent Lock | 严重 | 立即修改 |
| Correctness - Bitwise OR of signed byte value | 严重 | 立即修改 |
| Correctness - Value annotated as carrying a type qualifier used where a value that must not carry that qualifier is required | 严重 | 立即修改 |
| Performance - Method concatenates strings using + in a loop | 严重 | 立即修改 |
| Correctness - Bitwise add of signed byte value | 严重 | 立即修改 |
| Correctness - Format string references missing argument | 严重 | 立即修改 |
| Correctness - TestCase declares a bad suite method | 严重 | 立即修改 |
| Security - Empty database password | 严重 | 立即修改 |
| Correctness - Self assignment of field | 严重 | 立即修改 |
| Correctness - Static Thread.interrupted() method invoked on thread instance | 严重 | 立即修改 |
| Dodgy - Result of integer multiplication cast to long | 严重 | 可忽略 |
| Multithreaded correctness - Incorrect lazy initialization of static field | 严重 | 立即修改 |
| Dodgy - Questionable cast to concrete collection | 严重 | 可忽略 |
| Correctness - An apparent infinite recursive loop | 严重 | 立即修改 |
| Correctness - No relationship between generic parameter and method argument | 严重 | 立即修改 |
| Bad practice - toString method may return null | 严重 | 立即修改 |
| Dodgy - Write to static field from instance method | 严重 | 可忽略 |
| Dodgy - Self assignment of local variable | 严重 | 立即修改 |
| Multithreaded correctness - Method does not release lock on all exception paths | 严重 | 立即修改 |
| Correctness - Invocation of toString on an array | 严重 | 立即修改 |
| Security - Servlet reflected cross site scripting vulnerability | 严重 | 立即修改 |
| Dodgy - Possible null pointer dereference on path that might be infeasible | 严重 | 可忽略 |
| Dodgy - Dead store of null to local variable | 严重 | 立即修改 |
| Multithreaded correctness - Mismatched wait() | 严重 | 立即修改 |
| Bad practice - Equals method should not assume anything about the type of its argument | 严重 | 立即修改 |
| Correctness - Dead store of class literal | 严重 | 立即修改 |
| Multithreaded correctness - Class's writeObject() method is synchronized but nothing else is | 严重 | 立即修改 |
| Dodgy - Method directly allocates a specific implementation of xml interfaces | 严重 | 立即修改 |
| Dodgy - Complicated, subtle or wrong increment in for-loop | 严重 | 可忽略 |
| Correctness - Integer remainder modulo 1 | 严重 | 立即修改 |
| Correctness - Doomed test for equality to NaN | 严重 | 立即修改 |
| Multithreaded correctness - Static DateFormat | 严重 | 需修改可暂缓 |
| Correctness - Doomed attempt to append to an object output stream | 严重 | 立即修改 |
| Dodgy - Double assignment of local variable | 严重 | 立即修改 |
| Multithreaded correctness - Call to static DateFormat | 严重 | 需修改可暂缓 |
| Multithreaded correctness - Mismatched notify() | 严重 | 立即修改 |
| Performance - Huge string constants is duplicated across multiple class files | 严重 | 需修改可暂缓 |
| Dodgy - Class exposes synchronization and semaphores in its public interface | 严重 | 需修改可暂缓 |
| Bad practice - Suspicious reference comparison | 严重 | 可忽略 |
| Dodgy - Computation of average could overflow | 严重 | 可忽略 |
| Bad practice - Finalizer nullifies superclass finalizer | 严重 | 立即修改 |
| Correctness - Nullcheck of value previously dereferenced | 严重 | 立即修改 |
| Performance - Method calls static Math class method on a constant value | 严重 | 立即修改 |
| Dodgy - Initialization circularity | 严重 | 立即修改 |
| Dodgy - Unsigned right shift cast to short/byte | 严重 | 可忽略 |
| Correctness - Possible null pointer dereference in method on exception path | 严重 | 可忽略 |
| Dodgy - Dereference of the result of readLine() without nullcheck | 严重 | 立即修改 |
| Correctness - Call to equals() comparing unrelated class and interface | 严重 | 可忽略 |
| Bad practice - Class defines hashCode() but not equals() | 严重 | 可忽略 |
| Dodgy - Code contains a hard coded reference to an absolute pathname | 严重 | 立即修改 |
| Security - Servlet reflected cross site scripting vulnerability | 严重 | 立即修改 |
| Dodgy - Method uses the same code for two branches | 严重 | 需修改可暂缓 |
| Correctness - Null pointer dereference in method on exception path | 严重 | 可忽略 |
| Correctness - An apparent infinite loop | 严重 | 立即修改 |
| Dodgy - Vacuous bit mask operation on integer value | 严重 | 立即修改 |
| Correctness - Incompatible bit masks (BIT_IOR) | 严重 | 立即修改 |
| Correctness - equals() used to compare array and nonarray | 严重 | 立即修改 |
| Correctness - Method assigns boolean literal in boolean expression | 严重 | 可忽略 |
| Dodgy - Redundant comparison of two null values | 严重 | 立即修改 |
| Bad practice - Store of non serializable object into HttpSession | 严重 | 可忽略 |
| Bad practice - Method may fail to close stream | 严重 | 立即修改 |
| Multithreaded correctness - Naked notify | 严重 | 立即修改 |
| Correctness - Field only ever set to null | 严重 | 可忽略 |
| Correctness - Method call passes null to a nonnull parameter | 严重 | 立即修改 |
| Bad practice - Check for sign of bitwise operation | 严重 | 可忽略 |
| Correctness - Unneeded use of currentThread() call, to call interrupted() | 严重 | 立即修改 |
| Multithreaded correctness - Method calls Thread.sleep() with a lock held | 严重 | 立即修改 |
| Correctness - Value required to not have type qualifier, but marked as unknown | 严重 | 立即修改 |
| Multithreaded correctness - Synchronization on boxed primitive could lead to deadlock | 严重 | 立即修改 |
| Multithreaded correctness - Synchronization on boxed primitive values | 严重 | 立即修改 |
| An increment to a volatile field isn't atomic | 严重 | 可忽略 |
| Correctness - A parameter is dead upon entry to a method but overwritten | 严重 | 立即修改 |
| Correctness - The type of a supplied argument doesn't match format specifier | 严重 | 立即修改 |
| Correctness - A collection is added to itself | 严重 | 立即修改 |
| Performance - Method uses toArray() with zero-length array argument | 严重 | 立即修改 |
| Security - JSP reflected cross site scripting vulnerability | 严重 | 立即修改 |
| Class defines hashcode(); should it be hashCode()? | 严重 | 可忽略 |
| Bad practice - Method may fail to close database resource | 严重 | 立即修改 |
| Multithreaded correctness - Incorrect lazy initialization and update of static field | 严重 | 立即修改 |
| Bad practice - Class defines compareTo(...) and uses Object.equals() | 严重 | 立即修改 |
| Dead store due to switch statement fall through | 严重 | 可忽略 |
| Multithreaded correctness - Using notify() rather than notifyAll() | 严重 | 立即修改 |
| Correctness - Nonsensical self computation involving a field (e.g., x & x) | 严重 | 立即修改 |
| Correctness - Self comparison of value with itself | 严重 | 立即修改 |
| Correctness - "." used for regular expression | 严重 | 可忽略 |
| Correctness - TestCase has no tests | 严重 | 立即修改 |
| Correctness - Double.longBitsToDouble invoked on an int | 严重 | 可忽略 |
| Switch statement found where one case falls through to the next case | 严重 | 可忽略 |
| Correctness - Number of format-string arguments does not correspond to number of placeholders | 严重 | 立即修改 |
| Correctness - Double assignment of field | 严重 | 立即修改 |
| Bad practice - equals method fails for subtypes | 严重 | 可忽略 |
| Dodgy - Unchecked/unconfirmed cast | 严重 | 可忽略 |
| Multithreaded correctness - Class's readObject() method is synchronized | 严重 | 立即修改 |
| Correctness - Possible null pointer dereference | 严重 | 可忽略 |
| Correctness - hasNext method invokes next | 严重 | 立即修改 |
| Correctness - Bad attempt to compute absolute value of signed 32-bit hashcode | 严重 | 可忽略 |
| Correctness - int value cast to float and then passed to Math.round | 严重 | 可忽略 |
| Dodgy - Remainder of hashCode could be negative | 严重 | 可忽略 |
| Correctness - Bad comparison of nonnegative value with negative constant | 严重 | 立即修改 |
| Multithreaded correctness - Call to static Calendar | 严重 | 立即修改 |
| Dodgy - Parameter must be nonnull but is marked as nullable | 严重 | 立即修改 |
| Correctness - Invalid syntax for regular expression | 严重 | 立即修改 |
| Security - Nonconstant string passed to execute method on an SQL statement | 严重 | 可忽略 |
| Multithreaded correctness - Sychronization on getClass rather than class literal | 严重 | 立即修改 |
| Nonnull field is not initialized | 严重 | 立即修改 |
| Dodgy - Test for floating point equality | 严重 | 立即修改 |
| Correctness - Bad attempt to compute absolute value of signed 32-bit random integer | 严重 | 可忽略 |
| Bad practice - Class defines equals() and uses Object.hashCode() | 严重 | 可忽略 |
| Dodgy - Dead store to local variable | 严重 | 可忽略 |
| Correctness - Primitive array passed to function expecting a variable number of object arguments | 严重 | 立即修改 |
| Correctness - Method may return null, but is declared @NonNull | 严重 | 立即修改 |
| Correctness - Call to equals() with null argument | 严重 | 立即修改 |
| Correctness - Signature declares use of unhashable class in hashed construct | 严重 | 立即修改 |
| Method may fail to clean up stream or resource on checked exception | 严重 | 立即修改 |
| Correctness - Collections should not contain themselves | 严重 | 立即修改 |
| Correctness - Incompatible bit masks (BIT_AND) | 严重 | 立即修改 |
| Correctness - Vacuous call to collections | 严重 | 立即修改 |
| Correctness - Value annotated as never carrying a type qualifier used where value carrying that qualifier is required | 严重 | 立即修改 |
| Correctness - Invocation of equals() on an array, which is equivalent to == | 严重 | 可忽略 |
| Dodgy - Possible null pointer dereference due to return value of called method | 严重 | 立即修改 |
| Dead store due to switch statement fall through to throw | 严重 | 可忽略 |
| Multithreaded correctness - Synchronization on Boolean could lead to deadlock | 严重 | 立即修改 |
| Bad practice - Unchecked type in generic call | 严重 | 立即修改 |
| Bad practice - Method may fail to close database resource on exception | 严重 | 立即修改 |
| Correctness - int value cast to double and then passed to Math.ceil | 严重 | 需修改可暂缓 |
| Multithreaded correctness - Inconsistent synchronization | 严重 | 立即修改 |
| Dodgy - Check for oddness that won't work for negative numbers | 严重 | 立即修改 |
| Correctness - Invocation of toString on an anonymous array | 严重 | 立即修改 |
| Correctness - Store of null value into field annotated NonNull | 严重 | 立即修改 |
| Dodgy - Redundant comparison of non-null value to null | 严重 | 立即修改 |
| Dodgy - Class extends Struts Action class and uses instance variables | 严重 | 可忽略 |
| Dodgy - Non serializable object written to ObjectOutput | 严重 | 立即修改 |
| Correctness - Method performs math using floating point precision | 严重 | 可忽略 |
| Correctness - Self comparison of field with itself | 严重 | 需修改可暂缓 |
| Multithreaded correctness - Synchronization on interned String could lead to deadlock | 严重 | 立即修改 |
| Multithreaded correctness - Method does not release lock on all paths | 严重 | 立即修改 |
| Correctness - Check to see if ((...) & 0) == 0 | 严重 | 立即修改 |
| Correctness - No previous argument for format string | 严重 | 立即修改 |
| Dodgy - Class extends Servlet class and uses instance variables | 严重 | 可忽略 |
| Correctness - Method call passes null for nonnull parameter (ALL_TARGETS_DANGEROUS) | 严重 | 立即修改 |
| Correctness - Illegal format string | 严重 | 立即修改 |
| Correctness - Nonsensical self computation involving a variable (e.g., x & x) | 严重 | 可忽略 |
| Correctness - Invocation of hashCode on an array | 严重 | 立即修改 |
| Multithreaded correctness - Constructor invokes Thread.start() | 严重 | 立即修改 |
| Multithreaded correctness - Condition.await() not in loop | 严重 | 立即修改 |
| Correctness - Useless control flow to next line | 严重 | 需修改可暂缓 |
| Performance - Inefficient use of keySet iterator instead of entrySet iterator | 严重 | 需修改可暂缓 |
| Correctness - Unnecessary type check done using instanceof operator | 严重 | 立即修改 |
| Correctness - Class overrides a method implemented in super class Adapter wrongly | 严重 | 可忽略 |
| Dodgy - int division result cast to double or float | 严重 | 可忽略 |
| Correctness - Integer shift by an amount not in the range 0..31 | 严重 | 立即修改 |
| Bad practice - equals() method does not check for null argument | 严重 | 立即修改 |
| Security - A prepared statement is generated from a nonconstant String | 严重 | 可忽略 |
| Correctness - Don't use removeAll to clear a collection | 严重 | 立即修改 |
| Dodgy - Useless control flow | 严重 | 立即修改 |
| Correctness - Bad comparison of signed byte | 严重 | 立即修改 |
| Bad practice - Clone method may return null | 严重 | 立即修改 |
| Multithreaded correctness - Field not guarded against concurrent access | 严重 | 立即修改 |
| Correctness - Value is null and guaranteed to be dereferenced on exception path | 严重 | 需修改可暂缓 |
| Multithreaded correctness - Static Calendar | 严重 | 立即修改 |
| Correctness - Null pointer dereference | 严重 | 立即修改 |
| Bad practice - Method may fail to close stream on exception | 严重 | 立即修改 |
| Multithreaded correctness - Wait not in loop | 严重 | 立即修改 |
| Correctness - File.separator used for regular expression | 严重 | 可忽略 |
| Bad practice - Class inherits equals() and uses Object.hashCode() | 严重 | 可忽略 |
| Correctness - Useless assignment in return statement | 严重 | 立即修改 |
| Bad practice - Static initializer creates instance before all static final fields assigned | 严重 | 立即修改 |
| Correctness - JUnit assertion in run method will not be noticed by JUnit | 严重 | 立即修改 |
| Correctness - Method attempts to access a result set field with index 0 | 严重 | 立即修改 |
| Correctness - Using pointer equality to compare different types | 严重 | 可忽略 |
| Bad practice - Non-serializable value stored into instance field of a serializable class | 严重 | 立即修改 |
| Correctness - Method call passes null for nonnull parameter | 严重 | 立即修改 |
| Dodgy - Remainder of 32-bit signed random integer | 严重 | 可忽略 |
| Bad practice - serialVersionUID isn't final | 严重 | 可忽略 |
| Correctness - instanceof will always return false | 严重 | 立即修改 |
| Dodgy - Redundant nullcheck of value known to be non-null | 严重 | 立即修改 |
| Correctness - Value required to have type qualifier, but marked as unknown | 严重 | 立即修改 |
| Correctness - Use of class without a hashCode() method in a hashed data structure | 严重 | 立即修改 |
| Correctness - Method attempts to access a prepared statement parameter with index 0 | 严重 | 立即修改 |
| Correctness - TestCase defines setUp that doesn't call super.setUp() | 严重 | 可忽略 |
| Correctness - Bad constant value for month | 严重 | 立即修改 |
| Correctness - Call to equals() comparing different interface types | 严重 | 立即修改 |
| Dodgy - Load of known null value | 严重 | 立即修改 |
| Dodgy - Invocation of substring(0), which returns the original value | 严重 | 立即修改 |
| Correctness - Check for sign of bitwise operation | 严重 | 可忽略 |
| Bad practice - Random object created and used only once | 严重 | 立即修改 |
| Correctness - Value that might not carry a type qualifier is always used in a way requires that type qualifier | 严重 | 立即修改 |
| Dodgy - Vacuous comparison of integer value | 严重 | 立即修改 |
| Correctness - Exception created and dropped rather than thrown | 严重 | 立即修改 |
| Correctness - Non-virtual method call passes null for nonnull parameter | 严重 | 立即修改 |
| Dodgy - Method uses the same code for two switch clauses | 严重 | 需修改可暂缓 |
| Correctness - Integer multiply of result of integer remainder | 严重 | 可忽略 |
| Bad practice - Class defines hashCode() and uses Object.equals() | 严重 | 需修改可暂缓 |
| Correctness - TestCase implements a non-static suite method | 严重 | 需修改可暂缓 |
| Class defines equal(Object); should it be equals(Object)? | 严重 | 需修改可暂缓 |
| Correctness - TestCase defines tearDown that doesn't call super.tearDown() | 严重 | 需修改可暂缓 |
| Dodgy - Redundant nullcheck of value known to be null | 严重 | 可忽略 |
| Performance - Method invokes inefficient Number constructor; use static valueOf instead | 严重 | 需修改可暂缓 |
| Unchecked/unconfirmed cast of return value from method | 严重 | 可忽略 |
| Performance - Private method is never called | 严重 | 立即修改 |
| Correctness - Format string placeholder incompatible with passed argument | 严重 | 立即修改 |
| Correctness - Value that might carry a type qualifier is always used in a way prohibits it from having that type qualifier | 严重 | 立即修改 |
| "eval" and "arguments" should not be bound or assigned | 严重 | 立即修改 |
| Property names should not be duplicated within an object literal | 严重 | 立即修改 |
| "future reserved words" should not be used as identifiers | 严重 | 立即修改 |
| Function argument names should be unique | 严重 | 立即修改 |
| Function call arguments should not start on new line | 严重 | 立即修改 |
| Do not use octal numbers | 严重 | 立即修改 |
| "switch" statements should not contain non-case labels | 严重 | 立即修改 |
end