Automated code review tools

Automated code review tools – Open Source 

PMD                                                                                                                                                                                                                                PMD scans Java source code and looks for potential problems like:                                                                          

  • Possible bugs – empty try/catch/finally/switch statements                                                                                                                 
  • Dead code – unused local variables, parameters and private methods                                                                               
  • Suboptimal code – wasteful String/StringBuffer usage                                                                                                    
  • Overcomplicated expressions – unnecessary if statements, for loops that could be while loops                                
  • Duplicate code – copied/pasted code means copied/pasted bugs

Checkstyle                                                                                                                                                                                                                Checkstyle provides checks that find class design problems, duplicate code, or bug patterns like double checked locking.

Findbugs                                                                                                                                                                                                                       Uses static analysis to look for bugs in Java code

Sonar                                                                                                                                                                                                                               Sonar is an open platform to manage code quality.

JNorm                                                                                                                                                                                                                        JNorm is Java code analysis tool that detects areas of code which could be replaced by functions from existing open source libraries

Splint                                                                                                                                                                                                                            Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.


Automated code review tools – Commercial products

Coverity                                                                                                                                                                                                                      Prevent – identifies security vulnerabilities and code defects in C, C++, C# and Java code

Fortify                                                                                                                                                                                                                          Helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, “Classic” ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL, python and COBOL as well as configuration file

Lint                                                                                                                                                                                                                                      Source Code Checker