商业Java静态分析工具与免费工具相比如何？ [英] How do commercial Java static analysis tools compare with the free ones?

问题描述

我熟悉一些可用于Java的免费静态分析工具，例如FindBugs和PMD。我想知道的是Klocwork和Coverity等商业产品如何与这些产品相抗衡。它们的优点和缺点是什么？

I'm familiar with a handful of the free static analysis tools available for Java, such as FindBugs and PMD. What I'd like to know is how the commercial products such as Klocwork and Coverity stack up against these. What are their strengths and weaknesses?

推荐答案

我们使用一套开源和商业静态分析工具。不同的工具会发现不同类型的错误，有些会针对较低的误报率进行调整，但可能会遗漏一些实际问题。

We use a suite of open source and commercial static analysis tools. The different tools find different kinds of bugs and some are tuned for lower false positive rates, at the expense of possibly missing some real problems.

根据我的经验，Findbugs做了一个很好地找到真正的问题，特别是如果你专注于团队建议的正确性错误。最近，Findbugs的开发人员也添加了一些基本的安全漏洞检查。 Coverity具有较低的误报率，特别是如果您不打开实验检查器，Coverity Prevent包含一个良好的趋势/聚类分析跟踪数据库。我不相信他们的线程检查器（静态或动态）工作 - 至少他们没有找到任何有趣的东西。 Klocwork Developer for Java返回更高的误报，但我们发现他们对这些工具进行了最强大的安全检查。因此，这取决于您的优先级是质量检查（Findbugs，Coverity）还是安全漏洞分析（Klocwork或Fortify）。我们的一些开发人员也使用PMD来支持源代码审查，因为它有助于清理常规代码。

In my experience, Findbugs does a good job of finding real problems, especially if you focus on Correctness errors as their team suggests. Recently the developers of Findbugs have added some basic security vulnerability checks as well. Coverity has a low false positive rate especially if you don't turn on their experimental checkers, and Coverity Prevent includes a good tracking database for trend/cluster analysis. I am not convinced yet that their threading checkers (static or dynamic) work - at least they haven't found anything interesting for us. Klocwork Developer for Java returns higher false positives, but we find they have the strongest security checking of these tools. So it depends on whether your priority is quality checking (Findbugs, Coverity) or security vulnerability analysis (Klocwork, or Fortify). Some of our developers also use PMD to support source code reviews, as it helps with general code cleanup.

最近用NIST进行的一个名为SATE：Static Analysis Tool Exposition的项目审查了各种不同的工具及其基本方法。
https://samate.nist.gov/index.php/SATE.html 以及对该项目的其他参考，例如OWASP。
一般的发现是不同的工具有不同的优点和缺点，所以如果你想做一个彻底的工作，请使用多个工具。

A recent project conducted with NIST called "SATE: Static Analysis Tool Exposition" reviewed a wide variety of different tools and their underlying approaches. https://samate.nist.gov/index.php/SATE.html and other references to this project such as at OWASP. The general finding is that different tools have different strengths and weaknesses, so use more than one if you want to do a thorough job.

这篇关于商业Java静态分析工具与免费工具相比如何？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！