SaaSHub helps you find the best software and product alternatives Learn more →
Top 23 Java Static Analysis Projects
-
bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
-
Stream
Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.
-
SonarQube: Link - Open-source platform for continuous code quality inspection, identifying bugs and code smells.
-
Checkstyle
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
We had a list of suggested code formation tools, as my code was written in Java I decided to use suggested formatter GoogleJavaFormat. However, I didn't decide to pick suggested tool for Linter. I picked Checkstyle; for the reason, that SpotBugs wasn't available for JDK 22.
-
Project mention: Using tests as a debugging tool for logic errors | news.ycombinator.com | 2025-05-07
This article seems like a very long-winded and complicated way to say that we should write tests. Am I missing something here? Wouldn't most developers write tests when creating algorithms, let alone something relating to finance as tax calculations? Yes, you should reproduce a defect by writing a failing tests first.
Where I hoped/thought this piece would go was to expand on the idea of error-prone[1] and apply it to the runtime.
https://github.com/google/error-prone
-
-
Project mention: Top 17 Must-Have Resources for Software Refactoring Excellence | dev.to | 2025-06-23
Utilize PMD for Code Analysis
-
NullAway
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead
Would be cool if Java got this feature, explicit optionality at a language level a la T? is an enormous developer QoL in Kotlin and Typescript in my experience. In Java there's tools like NullAway [1] but they're a hassle.
Language-level support is leagues better than Optional/Maybe in my experience too because it keeps the code focused on the actual logic instead of putting everything in a map/flatMap railway.
[1] https://github.com/uber/NullAway
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
-
-
find-sec-bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
-
Spoon
Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.
-
-
-
-
-
jspecify
An artifact of fully-specified annotations to power static-analysis checks, beginning with nullness analysis.
-
Project mention: Show HN: FlowTracker – Track data flowing through Java programs | news.ycombinator.com | 2024-09-13
Last time I was this blown away was with jitwatch ( https://github.com/AdoptOpenJDK/jitwatch )
FlowTracker reminds me a little of taint analysis, which is used for tracking unvalidated user inputs or secrets through a program, making sure it is not leaked or used without validation.
search keywords are "dynamic taint tracking/analysis"
https://github.com/gmu-swe/phosphor
https://github.com/soot-oss/SootUp
https://github.com/feliam/klee-taint
-
RefactorFirst
Identifies and prioritizes God Classes Highly Coupled classes, and Class Cycles in Java codebases you should refactor first.
-
-
-
-
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Java Static Analysis discussion
Java Static Analysis related posts
-
Top 17 Must-Have Resources for Software Refactoring Excellence
-
Essential Resources for Software Technical Debt Management
-
Using tests as a debugging tool for logic errors
-
JEP Draft: Prepare to Make Final Mean Final
-
Análise Comparativa: Aider vs. PMD vs. Semgrep
-
Aider: Integração Avançada de LLMs no Desenvolvimento de Software
-
Navigating the Software Developer Life: Soft Skills, AI Tools, and Team Dynamics
-
A note from our sponsor - SaaSHub
www.saashub.com | 8 Jul 2025
Index
What are some of the best open-source Static Analysis projects in Java? This list will help you:
# | Project | Stars |
---|---|---|
1 | bytecode-viewer | 15,096 |
2 | SonarQube | 9,702 |
3 | Checkstyle | 8,623 |
4 | Error Prone | 7,000 |
5 | Recaf | 6,504 |
6 | PMD | 5,143 |
7 | NullAway | 3,784 |
8 | Spotbugs | 3,687 |
9 | soot | 2,991 |
10 | find-sec-bugs | 2,353 |
11 | Spoon | 1,828 |
12 | phpinspectionsea | 1,464 |
13 | pysonar2 | 1,414 |
14 | SonarJava | 1,166 |
15 | FlowDroid | 1,141 |
16 | jspecify | 774 |
17 | SootUp | 699 |
18 | RefactorFirst | 496 |
19 | sonar-php | 411 |
20 | ck | 408 |
21 | Modernizer | 383 |
22 | forbidden-apis | 351 |
23 | warnings-ng-plugin | 345 |