Integrating static analysis tools with each other?

Question

How are folks integrating various static analysis tools such as PMD, Checkstyle, and FindBugs so that they are used together in some uniform way? In particular, I'm interested in generating a single uniform report that includes warnings from all tools. Also, I want to be able to mark-up my code with reasonably consistent looking warning suppressions.

My question here is not meant to address tool "overlap" where, say, PMD and Checkstyle are looking for the same things. That is another issue.

Please see some of my thoughts on the matter in an answer to a related question .

Answer 1

I stumbled across JcReport today, which I think does exactly what you are looking for. At least, it handles the reports in a combined way; suppressions are still tool-specific. This tool claims to support automatically integrating the output of PMD, CPD, FindBugs, CheckStyle, and Cobertura into a single HTML report.

I haven't tried it yet, but definitely intend to soon.

Answer 2

Another option is glean. http://jbrugge.com/glean/

From their website: Glean is a framework of Ant scripts for generating feedback on a team's source code. Glean's goal is to make it possible to add feedback to your build cycle with as little pain as possible. The scripts drive a number of open-source tools and collect the resulting HTML for you to deploy to a project website or some other common team area. Add it at the end of a daily build cycle and it is a quick way to keep a number of feedback sources up to date and in one place.

Answer 3

I am not clear on what qualifies as a single uniform report in your book but here is what I do.

I use Maven2 for builds and with it you can configure a series of reporting plugins (including PMD, CPD, checkstyle, coberturba, etc). Maven will also auto-generate a website (site plugin) for your project which contains all the reports in a nice easy-to-navigate webpage format.

Answer 4

如果您使用 Maven 构建您的项目，并且您将这些工具“插入”到您的 Maven 构建中，那么为构建生成的 Maven 报告将包括这些静态分析工具的输出。

Answer 5

Thanks for the responses!

The goal here is to configure these tools so that they behave in some similar manner with respect to each other. This goes beyond simply dumping whatever report they generate automatically, or using whatever warning suppression hint they use out-of-the-box.

For example, I have PMD, Checkstyle, and FindBugs configured to report all warnings in the following format:

/absolute-path/filename:line-number:column-number: warning(tool-name): message

So a warning might look like this:

/project/src/com/example/Foo.java:425:9: warning(Checkstyle): Missing a Javadoc comment.

Also, all warning suppressions in my source code are marked with a symbol that includes the string " SuppressWarnings " regardless of the static analysis tool being surpressed. Sometimes this symbol is an annotation, sometimes it's in a comment, but it always has that name.

I explain these ideas in a bit more detail here .