Checkstyle VS infer

I’m a little out of date with Java, but I believe Checkstyle is currently popular: https://github.com/checkstyle/checkstyle

Another example can be applied to code quality itself. Most static analyzers are configurable. If you tried to set Checkstyle Google configuration to the mature project, you would probably get hundreds or even thousands of errors. You can start with just one rule. Ar first glance, it seems not so important. But after the moment when the configuration reaches the repository, you can be sure that no one else can violate this rule in the future.

Checkstyle: a tool that helps programmers write Java code that adheres to a coding standard: https://github.com/checkstyle/checkstyle

So I was there once, sharing my solution. For my current project I use the java formatter jar, but on my previous work I was using checkstyle, you can get it from here: Checkstyle. Then pass your checkstyle xml format config.

On the coding standards side, use linters like https://github.com/checkstyle/checkstyle and https://github.com/eslint/eslint so you have an automated way to detect some errors and enforce style standards.

The most common approach for CI integration is the Maven checkstyle plugin, and you'd have to specify the coding style rules in the checkstyle.xml file. The github repo for checkstyle has checkstyle.xml configs for Google and Sun.

sem-version java 11 wget https://github.com/checkstyle/checkstyle/releases/download/checkstyle-8.41/checkstyle-8.41-all.jar java -jar checkstyle-8.41-all.jar -c /sun_checks.xml MyFile.java

You can find a configuration file for Google’s Java Style on the checkstyle repository.

Direct JAR which can be taken from Github

Which kind of vulnerabilities ? There's frama-C (free and open source) and Astree (commercial) used in the aerospace industry (https://frama-c.com/, https://www.absint.com/astree/index.htm), FB is also developing an open source static analyzer (https://fbinfer.com/).

checkout cache restore mvn clean curl -sSL "https://github.com/facebook/infer/releases/download/v1.0.0/infer-linux64-v1.0.0.tar.xz" | tar -xJ ./infer-linux64-v1.0.0/bin/infer run -- mvn package artifact push job --expire-in 1w infer-out ./infer-linux64-v1.0.0/bin/infer analyze --fail-on-issue

Infer was created by Facebook to find code that can lead to runtime errors, things such as race conditions and resource leaks. Infer works with Java and Android. Facebook has open-sourced this tool and uses it to fix their mobile client and the main Facebook app.

There are few tools that are both geared to mainstream programming languages and reasonable to work with. But probably the best place to start is Infer [1]. It's marketed as a static analyzer, in other words a way to prove some properties, but the separation logic at its heart is a powerful and general program proof technique.

In time, I hope and expect that the RustBelt project[2] will become a practical tool to prove Rust programs correct. It's already found some bugs in the standard library, and the main focus is currently to firm up the semantics of the language.

[1]: https://fbinfer.com/