Java Static Analysis

Open-source Java projects categorized as Static Analysis

Top 23 Java Static Analysis Projects

  • bytecode-viewer

    A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

    Project mention: Java 泛型程式設計的注意事項 | | 2023-01-02
  • Checkstyle

    Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

    Project mention: 5 easy paths to become a recognized Java expert. Really. For free. | | 2022-08-25
  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.

  • SonarQube

    Continuous Inspection

    Project mention: Usefully links for DotNet Backend Developers | | 2023-01-02


  • Error Prone

    Catch common Java mistakes as compile-time errors

    Project mention: How to use Java Records | | 2022-11-18

    A special kind of validation is enforcing that record fields are not null. (Un)fortunately, records do not have any special behavior regarding nullability. You can use tools like NullAway or Error Prone to prevent null in your code in general, or you can add checks to your records:

  • Recaf

    The modern Java bytecode editor

    Project mention: what is the easiest way to decompile, edit and recompile a mod? | | 2022-10-11

    IF you've got the legal situation all sorted out, and know that you need to change a Java class file, and know how to program in Java, I'd suggest Recaf. With it, you can import a jar file, decompile, edit and recompile any source files in it, and export the whole thing again.

  • PMD

    An extensible multilanguage static code analyzer.

    Project mention: Spring Boot – Black Box Testing | | 2022-11-13

    The generated classes should be put into .gitignore. Otherwise, if you have Checkstyle, PMD, or SonarQube in your project, then generated classes can violate some rules. Besides, if you don't put them into .gitignore, then each pull request might become huge due to the fact that even a slightest fix can lead to lots of changes in the generated classes.

  • NullAway

    A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead

    Project mention: Retrofitting null-safety onto Java at Meta | | 2022-11-22

    Does anyone have experience using this at Meta who can compare to ?

  • Sonar

    Write Clean Java Code. Always.. Sonar helps you commit clean code every time. With over 600 unique rules to find Java bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.

  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

    Project mention: Primeiros passos no desenvolvimento Java em 2023: um guia particular | | 2023-01-19
  • soot

    Soot - A Java optimization framework

  • find-sec-bugs

    The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

    Project mention: Find Security Bugs | | 2022-02-23
  • Spoon

    Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

  • phpinspectionsea

    A Static Code Analyzer for PHP (a PhpStorm/Idea Plugin)

    Project mention: 7 Laravel Packages to Improve Coding Standards and Reduce Bugs | | 2022-08-01

    PHP Inspections is a static code analyzer and code review tool for PhpStorm IDE.

  • pysonar2

    PySonar2: a semantic indexer for Python with interprocedual type inference

  • SonarJava

    :coffee: SonarSource Static Analyzer for Java Code Quality and Security

  • FlowDroid

    FlowDroid Static Data Flow Tracker

    Project mention: Anyone familiar with Java byte code manipulation or java code optimisation using a tool called FlowDroid? | | 2022-08-02

    I need help regarding understanding the mechanism of working of this tool named FlowDroid...

  • mobsfscan

    mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

    Project mention: Run your security static analysis tests for Android apps on the cloud with MobSF and AWS | | 2022-08-29

    In the presentation, I mentioned different automated security testing tools that we can use with Android.One of these tools is MobSF — it’s an open-source static analysis tool that can find insecure code patterns in your Android and iOS source code supports Java, Kotlin, Swift, and Objective C.

  • sonar-php

    :elephant: SonarPHP: PHP static analyzer for SonarQube & SonarLint

    Project mention: How does one get this "PHP Control Flow Viewer" sidebar? | | 2022-02-10
  • Modernizer

    Detect uses of legacy Java APIs

  • warnings-ng-plugin

    Jenkins Warnings Plugin - Next Generation

    Project mention: How do you setup coverage/ sanitizers in your CI system. | | 2023-01-27

    Jenkins for C/C++, at least, also has a small bus factor ( Without Jenkins would be little more than a daemon that triggers builds as a reaction to a webhook on pushing. He basically maintains, alone, and other stuff.

  • ck

    Code metrics for Java code by means of static analysis (by mauricioaniche)

  • forbidden-apis

    Policeman's Forbidden API Checker

    Project mention: Stop Using Utcnow and Utcfromtimestamp | | 2022-10-09

    > All this stuff would be a lot easier if timezones always had to be stated explicitly.

    On Java, you can use the forbidden-apis build plugin ( to fail the build whenever a timezone or locale or charset is not specified explicitly (it forbids the methods from the Java API which use an implicit timezone/locale/charset). I don't know whether there's something similar for Python; it might be harder because Python is much more dynamic (though it might be possible to use monkeypatching to warn whenever the bad methods are used).

  • RefactorFirst

    Tool for Java codebases that will help you identify the God Classes you should refactor first.

    Project mention: RefactorFirst - a tool to help figure out where you should start refactoring your Java codebases | | 2022-03-09

    It uses Google Charts. It builds the HTML / Javascript that renders it in

  • jspecify

    An artifact of fully-specified annotations to power static-analysis checks, beginning with nullness analysis.

    Project mention: How to go about writing a library? | | 2023-01-28
  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2023-01-28.

Java Static Analysis related posts


What are some of the best open-source Static Analysis projects in Java? This list will help you:

Project Stars
1 bytecode-viewer 13,488
2 Checkstyle 7,503
3 SonarQube 7,475
4 Error Prone 6,315
5 Recaf 4,538
6 PMD 4,143
7 NullAway 3,224
8 Spotbugs 2,951
9 soot 2,493
10 find-sec-bugs 2,028
11 Spoon 1,442
12 phpinspectionsea 1,359
13 pysonar2 1,319
14 SonarJava 986
15 FlowDroid 813
16 mobsfscan 359
17 sonar-php 345
18 Modernizer 326
19 warnings-ng-plugin 317
20 ck 292
21 forbidden-apis 282
22 RefactorFirst 238
23 jspecify 213
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives