Spotbugs
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code. (by spotbugs)
SonarQube
Continuous Inspection (by SonarSource)
Our great sponsors
| Spotbugs | SonarQube | |
|---|---|---|
| 15 | 45 | |
| 2,721 | 6,824 | |
| 1.5% | 2.6% | |
| 9.0 | 9.9 | |
| about 15 hours ago | about 16 hours ago | |
| Java | Java | |
| GNU Lesser General Public License v3.0 only | GNU Lesser General Public License v3.0 only |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Spotbugs
Posts with mentions or reviews of Spotbugs.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-03-29.
-
Ask HN: What is a modern Java environment?
PMD, Spotbugs, Nullaway: Java linting/static analysis (https://pmd.github.io, https://spotbugs.github.io, https://github.com/uber/NullAway)
- What are some useful static analyzers for Java?
- Go CheckLocks Analyzer
-
Is there a tool to track CVEs for the software that we use?
While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).
-
SpotBugs supports SARIF that supports integration with other SAST tools
First, it's better to use SpotBugs 4.4.1 and above, that includes a fix to make SARIF report compatible with Github code scanning API requirements.
-
Needing to run GUI application from java docker image
RUN wget https://github.com/spotbugs/spotbugs/releases/download/4.4.1/spotbugs-4.4.1.tgz
-
Looking for a Static Code Analysis tool for Scala Code
If you don’t have checkmarx/Vera code money, have you looked at https://find-sec-bugs.github.io/? It can be used with a few things such as https://spotbugs.github.io/ and sonarQ
-
An Incomplete List of Practical Security for Mortals
some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs
- NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION erroneously issued on equals(@Nullable Object) · Issue #633 · spotbugs/spotbugs
- SpotBugs – Find Bugs in Java Programs
SonarQube
Posts with mentions or reviews of SonarQube.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-04-18.
-
Do I need to hire someone to look over my Django project for security problems before launching it to production?
And run a security scan like Sonarqube: https://www.sonarqube.org
-
The Engineer's Guide to Creating a Technical Debt Proposal🗺🧭
2. Static analyser tools such as SonarQube are used to analyse source code in search of technical debt.
-
Seriously who cares about the warnings
Never had anything like that though for four years my life revolved around getting PMD, checkstyle and Sonar rules to pass so my pull request would merge.
-
Starting new role as senior manager - I want to change the way how team builds software - I need your feedback.
Love it and have a suggestion: Use SonarQube. We set up the free version and use open-source plugins where needed. Set clear expectations for metrics like Cyclomatic complexity, code duplication, no critical/high vulnerabilities, % of test coverage. Leave no doubt what the expecations are, track progress over time, and if you do need to make resource changes, you will have objective data to use to make your decisions.
- Estabelecendo um processo fundamental de revisão de código
-
Modern StyleCop alternative? Advice appreciated.
I'm surprised none mentioned it, but check out https://www.sonarqube.org/
-
Measuring code quality in an app?
I recommend https://www.sonarqube.org/ in a heartbeat. I used it in my last two jobs and never looked back
-
A simple terminal Wordle in pure go
Check out SonarCube to see how much “cognitive load” your code puts devs through. Use Docker for a quick setup.
-
What is your CI/CD pipeline like?
SonarQube (formerly Sonar) looks for code smells, security no-no's and common bugs. It also shows you all kinds of statistics and breakdowns by project / file / contributor / whatever. It's a pretty nifty tool; it's also pretty effective at keeping egos in check.
-
Review Pull Requests 3x faster, ... then 10x faster
SonarQube
What are some alternatives?
When comparing Spotbugs and SonarQube you can also consider the following projects:
FindBugs - The new home of the FindBugs project
PMD - An extensible multilanguage static code analyzer.
SonarJava - :coffee: SonarSource Static Analyzer for Java Code Quality and Security
Checkstyle - Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
Error Prone - Catch common Java mistakes as compile-time errors
infer - A static analyzer for Java, C, C++, and Objective-C
snyk - Snyk CLI scans and monitors your projects for security vulnerabilities.
Zed - The OWASP ZAP core project