Code Quality and Security for Java

SonarSource delivers what is probably the best static code analysis you can find for Java. It uses the most advanced techniques (pattern matching, dataflow analysis) to analyze code and find Code Smells, Bugs and Security Vulnerabilities. As with everything we develop at SonarSource, it was built on the principles of depth, accuracy, and speed.

SonarSource's Java analysis has a great coverage of well-established quality standards. This capability is available in Eclipse, IntelliJ and VSCode for developers (SonarLint) as well as throughout the development chain for automated code review with self-hosted SonarQube or cloud-based SonarCloud.

Samples of Issues Detected
 
Null pointer dereference
Null pointer dereference
If and else identical statement
If and else identical statement
Invariant method returns
Invariant method returns
Always false condition
Always false condition
Unclosed resource
Unclosed resource
I/O function call injection
I/O function call injection
Supported versions, frameworks and special analyses
  • Java language versions through 14
  • Frameworks Struts, Spring, Hibernate
  • Native integration with Maven, Gradle, and Ant
Metrics

SonarSource's Java analysis supports all the standard metrics implemented by SonarQube including Cognitive Complexity. Additionally, it supports the import of JaCoCo and Cobertura test coverage reports.

Custom Rules

SonarSource's Java analysis supports custom rules written in Java.

CWE Compatibility

SonarSource's Java analysis is officially registered as CWE Compatible

Free & Open Source

Github

Issue Tracker

Use in community edition

See all editions


Related Content