PMD
An extensible multilanguage static code analyzer. (by pmd)
SonarQube
Continuous Inspection (by SonarSource)
Our great sponsors
| PMD | SonarQube | |
|---|---|---|
| 18 | 63 | |
| 4,210 | 7,630 | |
| 2.0% | 2.2% | |
| 9.9 | 9.9 | |
| 7 days ago | 2 days ago | |
| Java | Java | |
| GNU General Public License v3.0 or later | GNU Lesser General Public License v3.0 only |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
PMD
Posts with mentions or reviews of PMD.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-02-04.
-
Custom Gradle Plugin for Unified Static Code Analysis
PMD and Checkstyle are static analysis tools that check your code on each project build. Gradle allows to apply them easily.
-
Spring Boot – Black Box Testing
The generated classes should be put into .gitignore. Otherwise, if you have Checkstyle, PMD, or SonarQube in your project, then generated classes can violate some rules. Besides, if you don't put them into .gitignore, then each pull request might become huge due to the fact that even a slightest fix can lead to lots of changes in the generated classes.
-
After Java tutorials, now what???
- PMD Static Code Analysis tool: https://pmd.github.io/
-
Ask HN: What is a modern Java environment?
PMD, Spotbugs, Nullaway: Java linting/static analysis (https://pmd.github.io, https://spotbugs.github.io, https://github.com/uber/NullAway)
-
Code smell plugin
PMD, and checkstyle as well.
-
Writing Clean and Consistent Code with Static Analysis using PMD and Apex
Nearly every programming language has a static analyzer of its own. For example, golang has gofmt, which is baked into the standard tooling, while Ruby has Rubocop, a community-led project. Even compiled languages like C have their own static analyzer through astyle. However, it can be difficult (and tedious) to run several analyzers across polyglot projects. Fortunately, that’s where a project like PMD can be of assistance. PMD is a static analyzer that allows you to define a standard set of rules that can be applied over multiple languages.
Open up the config/ruleset.xml file, and you’ll find an XML document that lists several rules. These rules map to the issues which PMD will report on. Believe it or not, there are hundreds of Apex rules, and you can find the full set at the PMD repo. You have complete control over which rules to enable. Typically, you’d determine which ones are important by agreeing with your teammates on the ones that matter most. After all, their code will be statically analyzed, too!
-
Is there a tool to track CVEs for the software that we use?
While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).
-
How to setup CI/CD for org-based development?
For PMD specifically, we use the PMD command line tool (Github) and wire it together with some bash scripting. Most pipelines will allow you to write bash as needed. The SFDX scanner command didn't exist when we implemented this, you might be able to use that instead.
-
Is it possible to measure spaghettiness of code?
This is the definition of cohesion and there are many great tools to calculate cohesion metrics (depending on the programming language e.g Java). Cohesion metrics belong to a bigger set of metrics called OOP metrics (or ck metrics). Check out the following links: https://github.com/mauricioaniche/ck https://github.com/cqfn/jpeek https://github.com/rodhilton/jasome https://github.com/pmd/pmd
SonarQube
Posts with mentions or reviews of SonarQube.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-01-02.
-
Usefully links for DotNet Backend Developers
SonarQube https://www.sonarqube.org/
-
How do you integrate a static security analysis tool into the CI/CD pipeline
There are commercial tools that can be integrated into a CI pipeline and/or a developer's IDE. I've used SonarQube before, but there are others.
-
How I go with react native in late 2022
having a code review and analysis tool in CI/CD pipeline can help developers to keep their code clean. some examples of these tools are sonarqube and embold.
-
Top 10 Open-Source DevOps Tools That You Should Know
Sonarqube Source Code Repository
- Ask HN: How can I DDOoS attack my personal website (for curiosity)?
-
Spring Boot – Black Box Testing
The generated classes should be put into .gitignore. Otherwise, if you have Checkstyle, PMD, or SonarQube in your project, then generated classes can violate some rules. Besides, if you don't put them into .gitignore, then each pull request might become huge due to the fact that even a slightest fix can lead to lots of changes in the generated classes.
-
Implement DevSecOps to Secure your CI/CD pipeline
SonarQube allows all developers to write cleaner and safer code. It supports lots of programming languages for scanning (Java, Kotlin, Go, JavaScript). It also supports running unit testing for code coverage. It can be easily integrated with Jenkins and Azure DevOps. Checkmarx, Veracode, and Klocwork also provide similar functionality but these are paid tools.
-
CBC Lite, a low-bandwidth CBC news site, built with React/Nextjs
As for some of our tech stack outside of Next.js for those curious, we use Sass to define CSS and its globals, Jenkins for our CI/CD pipeline, and Sentry for error tracking, all of which have been great to work with so far. Within our testing suite, we utilize Sonarqube, Lighthouse, aXe Core, WebPageTest, @next/bundle-analyzer, and run tests written with Cypress.
-
Finding better motivations for software work (Other than pride)
I found code reviews to also be tedious but in a different way. We have a large number of tools to review code well, and my company also makes sure to automate checks for code standards, smells and best practices (see sonarqube). The expectation on me as a code reviewer was to criticize to improve the structure and design of our code. Along the way, I was also meant to teach other engineers things.
-
Flutter : a journey to higher-quality apps
Ring any bell ? Don't be shy, I know that you are thinking of Sonarqube !
What are some alternatives?
When comparing PMD and SonarQube you can also consider the following projects:
Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
Checkstyle - Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
Error Prone - Catch common Java mistakes as compile-time errors
semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
snyk - Snyk CLI scans and monitors your projects for security vulnerabilities. [Moved to: https://github.com/snyk/cli]
infer - A static analyzer for Java, C, C++, and Objective-C
FindBugs - The new home of the FindBugs project
Zed - The OWASP ZAP core project
swagger-ui - Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.