Static Analysis tool recommendation for Java?

Being vaguely familiar with the Java world I was googling for a static analysis tool that would also was intelligent enough to fix the issues it finds. I ran at CodePro tool but, again, I'm new to the Java community and don't know the vendors.

What tool can you recommend based on the criteria above?

• Findbugs
• PMD
• Checkstyle
• Lint4J
• Classycle
• JDepend
• SISSy
• Google Codepro

FindBugs, PMD and Checkstyle are all excellent choices especially if you integrate them into your build process.

At my last company we also used Fortify to check for potential security problems. We were fortunate to have an enterprise license so I don't know the cost involved.

I recommend FindBugs. http://findbugs.sourceforge.net/ Good in assisting to do code review.

IntelliJ IDEA from JetBrains. They also do ReSharper in the .Net community.

Sonar is a quality control tool. It gauges quality of Java applications through the observance of coding rules conventions, metric measures and advanced indicators.

Sonar is based on the following projects :

• JavaNCSS: Quality Metrics

• Checkstyle: Style Cheking

• PMD: Code scanning for potential errors.

• Cobertura: Test Coverage

You could also use Simian for duplication detection.

CRAP4J is not only an awesome name but it's quite useful. The other good ones are all above, best of all (IMHO) is FindBugs, because it really does find honest-to-goodness bugs right away in a big code base.

You can try JavaDepend, it complement other static analysis tools, and provides a CQL language to query code like database,

JavaDepend provides also many interactive views to understand the existing code base and more than 82 metrics.

All the above are great tools. PMD is probably the most common.

Another tool is Enerjy. It recently became free, so you can download it and try for yourself. Enerjy is somewhat more organized and a better fit to larger teams. It makes it easier to customize and share the rules. Personally, I'm not a big fan, but maybe you'll fancy it more than I do.

Couple of commercial vendors that have a Java offering:

Klocwork Coverity

They won't "fix the issues" they find (nor will, I believe, any of the other ones mentioned above) but these are all tools that have varying strengths.