This sample code is used to demo different static verification tools such as FindBugs, PMD, Google ErrorProne, SpotBugs, and CogniCrypt.
Some of the tools demonstrated here require a compiled jar file. To create the jar file for this sample project, run
mvn clean package assembly:single
-
I downloaded the FindBugs 3.0.1 files from this link. Note that there are alternative ways to run FindBugs (e.g., running it as an Eclipse plugin or an IntelliJ plugin). You can check them on their webpage or search for additional ways to integrate FindBugs in your workflow.
-
Run FindBugs on the current project (run the following command from any directory but point to the right FindBugs jar file in the
libfolder of the zip file you downloaded for FindBugs):
java -jar <path to FindBugs jar file>
E.g., for me, I just saved to downloads folder and ran as:
java -jar ~/Downloads/findbugs-3.0.1/lib/findbugs.jar
-
The above command will open a GUI. You can follow the GUI instructions here to see how to set up a new project. Note that for the source directory, you need to select the
src/main/javadirectory of this current project. -
Once you set up the project, you can view the different warnings in the GUI.
-
An alternative way for running FindBugs is through
ant. There is already abuild.xmlfile that configures the build for you so you can run FindBugs through the command line. Please note that you may need to update the path to the FindBugs directory to wherever you unzipped the above archive to.
ant findbugs
Running the above command will create an xml output file called demo-findbugs.xml
- The
pom.xmlfile in this repo already has the pmd plugin as part of the reporting phase. To produce the pmd report, run:
mvn pmd:pmd
- In the target folder, you will find a
pmd.xmlfile that contains the results of running PMD. You can also visualize those results by viewing thetarget/site/pmd.htmlfile
-
To run ErrorProne, go to the
pom.xmlfile and uncomment all parts marked byfor running google error prone. -
Run
mvn clean compileto force a compilation. You will notice that the build now fails. Google ErrorProne is integrated into the build process and causes it to fail upon detecting any error (based on its ruleset). See website for how to run it using different build systems.
-
The
pom.xmlfile already has the SpotBugs dependency added -
Run
mvn spotbugs:check. It will show you the errors spotted and that you can visually look at the errors by runningmvn spotbugs:gui
-
Download the precompiled version of CongniCrypt from their repo, as well as the set of Crysl rules they have there. I used version 2.7.1. I created a folder
CogniCryptand inside it placed the pre-compiled CogniCrypt jar file and unzipped thecrypto-api-rules.zipfile into a folder called rules with all the.crsylrules inside it. -
Run
java -jar ../CogniCrypt/CryptoAnalysis-2.7.1-SNAPSHOT-jar-with-dependencies.jar --rulesDir=../CogniCrypt/rules/ --applicationCp=target/sca-demo-1.0-SNAPSHOT.jarfrom inside this project's main directory