PMD VS Spotbugs

While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).

For PMD specifically, we use the PMD command line tool (Github) and wire it together with some bash scripting. Most pipelines will allow you to write bash as needed. The SFDX scanner command didn't exist when we implemented this, you might be able to use that instead.

This is the definition of cohesion and there are many great tools to calculate cohesion metrics (depending on the programming language e.g Java). Cohesion metrics belong to a bigger set of metrics called OOP metrics (or ck metrics). Check out the following links: https://github.com/mauricioaniche/ck https://github.com/cqfn/jpeek https://github.com/rodhilton/jasome https://github.com/pmd/pmd

some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

If you are a developer or have access to someone who knows Salesforce development, there are analysis tools that can help you take stock of your situation directly. PMD, CPD, ESLint, Apex tests, and Jest tests are a few of these.

Another nice checker to use in your CI environment is PMD. PMD works with Java, JavaScript, and Oracle’s SQL. You can scan code with the default rules for Java with the following:

sem-version java 11 checkout wget https://github.com/pmd/pmd/releases/download/pmd_releases%2F6.32.0/pmd-bin-6.32.0.zip unzip pmd-bin-6.32.0.zip ./pmd-bin-6.32.0/bin/run.sh pmd -d . -R rulesets/java/quickstart.xml -f text

In dynamic and typed languages, linters are used. These are used before you run or compile the code. They vary in purpose, but all typically format code, help find common errors, and help guide on language best practices. For typed languages, these tools work alongside the compiler, giving you extra quality checks that the compiler doesn’t provide natively. Examples include PyLint for Python, ESLint for JavaScript, Vet for Go, and PMD originally for Java. These can prevent many runtime exceptions.

PMD scans Java source code and looks for potential problems.

While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).

First, it's better to use SpotBugs 4.4.1 and above, that includes a fix to make SARIF report compatible with Github code scanning API requirements.

RUN wget https://github.com/spotbugs/spotbugs/releases/download/4.4.1/spotbugs-4.4.1.tgz

If you don’t have checkmarx/Vera code money, have you looked at https://find-sec-bugs.github.io/? It can be used with a few things such as https://spotbugs.github.io/ and sonarQ

some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

Static application security testing (SAST) is essential in tackling the source code vulnerabilities, late diagnosis of problems, and lack of root-cause analysis. This post describes how to carry out SAST in your Java application using SpotBugs.