Top 23 Java Static Analysis Projects

bytecode-viewer

9 14,338 7.2 Java

A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
SonarQube

65 8,543 9.9 Java

Continuous Inspection

Project mention: Experience Continuous Integration with Jenkins | Ansible | Artifactory | SonarQube | PHP | dev.to | 2024-02-24

SonarQube (Scroll down to the Sonarqube section to see instructions on how to set up and configure SonarQube manually)

WorkOS

workos.com sponsored

The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Checkstyle

15 8,121 9.9 Java

Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
Error Prone

16 6,716 9.4 Java

Catch common Java mistakes as compile-time errors

Project mention: Any library you would like to recommend to others as it helps you a lot? For me, mapstruct is one of them. Hopefully I would hear some other nice libraries I never try. | /r/java | 2023-05-27

error-prone is good for some extra static analysis.

Recaf

24 5,543 3.8 Java

The modern Java bytecode editor
PMD

21 4,663 9.9 Java

An extensible multilanguage static code analyzer.

Project mention: PMD 7 Is Here | news.ycombinator.com | 2024-03-22

NullAway

20 3,524 9.0 Java

A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
InfluxDB

www.influxdata.com sponsored

Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Spotbugs

17 3,331 9.6 Java

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
soot

1 2,789 8.6 Java

Soot - A Java optimization framework
find-sec-bugs

8 2,201 6.1 Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
Spoon

1 1,669 9.6 Java

Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

Project mention: I introduced Rust at work | /r/rust | 2023-06-29

Spoon

phpinspectionsea

5 1,427 1.3 Java

A Static Code Analyzer for PHP (a PhpStorm/Idea Plugin)

Project mention: PHP RFC: Deprecations for PHP 8.3 | /r/PHP | 2023-05-30

(I actually held the same opinion as you until recently: https://github.com/kalessil/phpinspectionsea/issues/1718 tl;dr the performance impact is negligible)

pysonar2

1 1,367 0.0 Java

PySonar2: a semantic indexer for Python with interprocedual type inference
SonarJava

0 1,088 9.6 Java

:coffee: SonarSource Static Analyzer for Java Code Quality and Security
FlowDroid

1 997 9.1 Java

FlowDroid Static Data Flow Tracker
jspecify

11 408 8.3 Java

An artifact of fully-specified annotations to power static-analysis checks, beginning with nullness analysis.

Project mention: Java, null, and JSpecify [video link] | /r/java | 2023-12-11

There's also a fair amount of content to explore starting at jspecify.org.

sonar-php

1 372 8.5 Java

:elephant: SonarPHP: PHP static analyzer for SonarQube & SonarLint
Modernizer

5 359 8.2 Java

Detect uses of legacy Java APIs
ck

3 355 3.2 Java

Code metrics for Java code by means of static analysis (by mauricioaniche)
RefactorFirst

3 331 7.4 Java

Identifies and prioritizes God Classes and Highly Coupled classes in Java codebases you should refactor first.

Project mention: 📢📢📢RefactorFirst 0.4.0 is released!!!📢📢📢 | /r/java | 2023-06-27

Learn more at https://github.com/jimbethancourt/RefactorFirst

warnings-ng-plugin

3 327 9.5 Java

Jenkins Warnings Plugin - Next Generation
forbidden-apis

4 313 6.5 Java

Policeman's Forbidden API Checker
SkidSuite

2 293 5.5 Java

A collection of java reverse engineering tools and informational links
SaaSHub

www.saashub.com sponsored

SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

Java Static Analysis related posts

PMD 7 Is Here
1 project | news.ycombinator.com | 22 Mar 2024
Java, null, and JSpecify [video link]
1 project | /r/java | 11 Dec 2023
Amazon CodeGuru Reviewer: already time for retirement?
2 projects | dev.to | 1 Aug 2023
📢📢📢RefactorFirst 0.4.0 is released!!!📢📢📢
1 project | /r/java | 27 Jun 2023
Design document on nullability and value types (Brian Goetz)
1 project | /r/java | 2 Jun 2023
Code Review for Flows
1 project | /r/salesforce | 28 Apr 2023
php inspections ea plugin
1 project | /r/phpstorm | 28 Apr 2023
A note from our sponsor - InfluxDB
www.influxdata.com | 25 Apr 2024

Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

What are some of the best open-source Static Analysis projects in Java? This list will help you:

	Project	Stars
1	bytecode-viewer	14,338
2	SonarQube	8,543
3	Checkstyle	8,121
4	Error Prone	6,716
5	Recaf	5,543
6	PMD	4,663
7	NullAway	3,524
8	Spotbugs	3,331
9	soot	2,789
10	find-sec-bugs	2,201
11	Spoon	1,669
12	phpinspectionsea	1,427
13	pysonar2	1,367
14	SonarJava	1,088
15	FlowDroid	997
16	jspecify	408
17	sonar-php	372
18	Modernizer	359
19	ck	355
20	RefactorFirst	331
21	warnings-ng-plugin	327
22	forbidden-apis	313
23	SkidSuite	293