Spot all the bugs with static code analysis


Bugs are everywhere!

You will almost inevitably run into them during development. We’d better find them before releasing our software. There are numerous tools for automated testing, but here I want to bring your attention to static code analysis tools.

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The good news for us is that there are many good static code analysis tools for Java. Thus we can find bugs even before testing our software!


SpotBugs is an open-source static code analyzer which detects possible bugs in Java programs. Potential errors are classified in four ranks: (i) scariest, (ii) scary, (iii) troubling and (iv) of concern. This is a hint to the developer about their possible impact or severity. Spotbugs operates on Java bytecode, rather than source code.

It is a very useful tool for your apps that can be easily integrated to your CI workflow. Let’s see how to use it with CUBA.

SpotBugs plugin can be added to your build script as follows:

buildscript {
    dependencies {
        classpath "com.haulmont.gradle:cuba-plugin:$cubaVersion"
        // add spotbugs plugin
        classpath ""

// apply spotbugs for Java projects
subprojects {
    apply plugin: "com.github.spotbugs"

See the complete build script: build.gradle (4.9 KB)

Create a bug!

Let’s create the following Java class in core module:

public class MyDateService {
    protected static final SimpleDateFormat df = new SimpleDateFormat("dd/MM/yyyy");

    public String format(Date date) {
        return df.format(date);

Do you see any bugs here? I know for sure there’s at least one.

Find it!

Now, open your command line and trigger spotbugsMain Gradle task that runs SpotBugs for your production Java source files:

> gradlew spotbugsMain

Execution failed for task ':app-core:spotbugsMain'.
> A failure occurred while executing com.github.spotbugs.internal.spotbugs.SpotBugsRunner
   > SpotBugs rule violations were found. See the report at: file://~/test/spotbugs-demo/modules/core/build/reports/spotbugs/main.html

Click on the link and open the report. The report contains a Multithreaded correctness warning:

Code	Warning
STCAL is a static field of type java.text.DateFormat, which isn't thread safe

Also, you will find a nice detailed description of the problem:

As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the application.

So, we’ve just find an error in our code without starting our application.

You can read more about SpotBugs here. It supports custom rules, inspections configuration and excludes for your code. Hope it will save your time in the future!