klocwork – a review

Since I wrote a review of JTest, I decided to do a review of the other commercial product I tried in the Java static analysis family – Klocwork

Installation

I ran into some trouble installing the trial Eclipse plugin. I saw a zip file to use instead of the update site.  I then unzipped it rather than pointing to it as a local install.   Which appears to work – you see klockwork show up in the Eclipse preferences, but get an error when trying to actually use it.

This gave me the opportunity to deal with their tech support.  Which was very good – they identified the problem correctly and told me to re-install properly.

Trial limitations

The trial limits you to scanning 300 files at a time.  This is perfectly reasonable – I can’t think of a reason you’d need to do more than that to see if you like a product.  I wanted to scan the same files as I had with JTest to compare output.

Since our product has more than 300 files, I thought I would just pick a few packages or classes with known issues.  I then learned they mean you can’t scan a project with more than 300 files rather than that you can’t scan more than 300 files.  Okay.  I used an Eclipse refactoring to move a bunch of packages to another project.  I’m not sure what this accomplished via the limit in the trial.  I was still able to scan everything.

The actual rules
In addition to the common static analysis rules (null ahndling, return values), some more interesting rules jumped out at me.  These include:

  1. Log forging – unvalidated input going into a log allows attacker to influence what logged
  2. If statement always evaluates to true/false – I like this was in the default rule configuration.
  3. Unchecked user input used in SQL query.  – It’s not user  input in our case, but a very good check to get you to manually review the code.

Summary

I also liked the minimizing of false positives.  Aside from my installation difficulties, I was very happy with the experience.

parasoft jtest – a review

I tried running Parasoft’s JTest against the modified JForum use by JavaRanch.

The first thing I did was run all the static analysis rules and got over 47 thousand hits.  Now this doesn’t mean much as some of the rules are cosmetic things and some directly confict with each other. (Use “*” for imports and don’t use “*” for imports imply every single file with get hit for one of them.  I started running all the rules so I could drill down and see what was out there.

A few of the rules were things that I had already noticed and made me cringe when reading the code.  For example, PostAction as a cyclomatic complexity (branch count) over over 40.  Ten is high.  40 is almost unreadable.

Some of the more interesting ones:

  • Found some duplicate code and string literal duplication.
  • The rules were updated for Java 5 – For example, it found I overwrote toString() but not valueOf() in an enum.
  • security rules for SQL injection
  • I really like “remove commmented out Java code” as this is a pet peeve of mine!
  • I learned that there is a problem with “double checked locking” pattern if you don’t use the volatile keyword.
  • As expected, JTest found unclosed resources, missing static keywords and the like.
  • There’s a bug in Java’s substring implementation that can cause an out of memory error.
  • It didn’t find a specific defect I was hoping to uncover when I downloaded it.  But this was more informative than not – now I know that defect isn’t in the code without having to look through hundreds of classes!

Some of the rules offer a “quick fix” where you can automatically fix the violation through your IDE plugin.  I used this to add {} to single line conditionals in 50 places without effort.

The only complaints I ran into:

  • It’s mostly updated for Java 5, but not completely.  One rule says to using StringBuffer instead of String when concatenting strings (when you should use StringBuilder.)
  • It’s slow – 5 minutes – 11 rules – 519 files.  PMD goes faster.
  • And of course – it’s expensive – but it’s intended for corporate users.  Thank you Parasoft for the trial to use on our non-commercial software!

The breadth of errors JTest can find is amazing.  It doesn’t just save you time manually reviewing code – it tells you about subtle errors you might not know about.