Bill Pugh Releases FindBugs 1.3.9
Developed by professor Bill Pugh at the University of Maryland, FindBugs is an open source (LPGL licensed) static analysis tool (i.e. one that analyzes code without running it) for finding common defects in Java code. FindBugs has become increasingly mainstream and is used by a number of well known companies including Bank of America, eBay, Oracle, Sun Microsystems and Google, where Bill Pugh is also a visiting scientist.
The focus on finding defects is a key differentiator from other related tools such as Checkstyle and PMD which offer broader style-based suggestions for improving code quality. The FindBugs analysis engine also differs from both Checkstyle and PMD in that it works directly with class files rather than source code. It can be run from the command line, from a variety of build tools including Ant, Cruise Control,
Developers use static analysis tools in a variety of different ways but two common ones are as part of a code review of a newly written module and as part of a broader review of a pre-existing code base. These two usage contexts have quite different requirements. In the former case a developer will usually review any warnings of questionable code that the tool finds and correct the code even if the issue being highlighted doesn't produce misbehaviour in the application itself. In contrast, when reviewing a pre-existing code base, since the code has been in production without causing any apparent problems and the developer would need to gain familiarity with the code before changing it, the threshold for making changes to the code is much higher. Whilst the FindBugs analysis engine continues to improve incrementally, and some 12 new detectors have been added to the 1.3.9 release, much of the emphasis in Findbugs from 1.3.9 and beyond is on the latter context. For example FindBugs has always grouped each bug pattern into a category such as correctness, bad practice, performance and internationalization, and assigned each one a priority of high, medium or low. This is a useful starting point for developers looking to filter out less important defects from large code bases and is widely used in this context. For the 1.3.9 release the concept has been extended by adding a bug rank (1-20), and the ability to filter by this ranking. The 2.0 release, targeted for later this year, is expected to include support to allow you to customize the bug ranking according to your own priorities.
A major planned feature of FindBugs 2.0 is community review, in which anyone can review issues in open source projects (i.e., mark issues as "must fix" or "mostly harmless"), and those reviews are persisted in a central store and automatically shared with other reviewers. An early beta of this functionality is available from the FindBugs website with Java Web Start apps featuring results for Sun's JDK 7 and Eclipse 3.5 (Java 1.5 or higher required) and the functionality has also been trialled during an engineering fixit at Google as described on the FindBugs home page:
"On May 13-14, Google held a global fixit for UMD's FindBugs tool a static analysis tool for finding coding mistakes in Java software. The focus of the fixit was to get feedback on the 4,000 highest confidence issues found by FindBugs at Google, and let Google engineers decide which issues, if any, needed fixing.
More than 700 engineers ran FindBugs from dozens of offices. More than 250 of them entered more than 8,000 reviews of the issues. A review is a classification of an issue as must-fix, should-fix, mostly-harmless, not-a-bug, and several other categories. More than 75% of the reviews classified issues as must fix, should fix or I will fix. Many of the scariest issues received more than 10 reviews each.
Engineers have already submitted changes that made more than 1,100 of the 3,800 issues go away. Engineers filed more than 1,700 bug reports, of which 600 have already been marked as fixed. Work continues on addressing the issues raised by the fixit, and on supporting the integration of FindBugs into the software development process at Google.
The fixit at Google showcased new capabilities of FindBugs that provide a cloud computing / social networking backdrop. Reviews of issues are immediately persisted into a central store, where they can be seen by other developers, and FindBugs is integrated into the internal Google tools for filing and viewing bug reports and for viewing the version control history of source files. For the Fixit, FindBugs was configured in a mode where engineers could not see reviews from other engineers until they had entered their own; after the fixit, the configuration will be changed to a more open configuration where engineers can see reviews from others without having to provide their own review first."
Static analysis tools are not a silver bullet; other techniques such as design, code reviews and testing are just as important if not more so than static analysis tools. Used properly however they are a useful tool for individual developers and projects to work with.
Tom Gilb & Kai Gilb Jan 26, 2015