Want to try it for yourself?
It’s been more than 25 years since Java was created, but it is still one of the most popular languages for modern software development. The language’s demand stems from the platform being easy to learn with an extensive collection of APIs. With so many development teams still recognizing these benefits and selecting Java, there’s a pressing need for powerful Java review tools to ensure secure Java code.
Automated code reviews can improve the quality of software significantly, while also bolstering its resistance to security threats. In addition, static code reviewers can augment manual peer reviews to create a robust process for streamlining code optimization. Check out our set of best practices for your code review process.
While there are many Java code review tools available, we chose the list of tools below because they’re open source, easy to use, and are compatible with Java applications. With that in mind, here are seven Java code review tools that deliver on these critical benefits:
JArchitect, a static Java source code analysis tool, evaluates Java code for complexity. It offers features such as code querying, enabling custom code, technical debt evaluations to identify the cost of fixing – or risk of not fixing – an error, and pass/fail quality gates. The tool also provides standard metrics and statistical analysis of the code.
In addition to those features, JArchitect can also identify code metrics like cyclomatic complexity (number of possible execution paths), source code lines, afferent (incoming) and efferent (outgoing) coupling, nesting, and depth. The software generates reports that help proactively guard against unplanned code errors.
PMD is a free, open source, static code reviewer that runs through Github. This Java review tool evaluates the integrity of the source code. It reports common mistakes that reduce the code's efficiency, such as duplicate or unneeded code sections or variables and unnecessary objects. PMD can also detect hard-coded IP addresses or passwords that could compromise security.
Eliminating duplicate code within the Java application allows the code to run faster and offers a secondary check for manual reviewers who may have added redundant code sections. That’s why the tool also has a copy-paste detector called CPD that supports Java, Python, MATLAB, Fortran, C, C++, and C#, among others.
Another free and open source Java code review tool is FindBugs. Also a static analyzer, this tool scans the code to find defects (or "bugs"), inconsistencies, or security threats in suspicious code sections. FindBugs identifies inconsistencies as warnings, allowing the developer the discretion to review the messages to determine whether they need to take corrective action. Developers can action the warning messages in this Java code review tool either individually or in batches. FindBugs requires JRE 1.7.0 or later to run and analyze any version of Java from 1.0 to 1.8.
SpotBugs is the next generation of FindBugs. Like the original, SpotBugs calls out warnings and developers can choose if they want to action them. SpotBugs lists both performance issues and Java code defects in the warnings section; as a result, not all warnings need to be changed. However, the tool does rank warnings into four categories to aid developers in their decision-making: "of concern," "troubling," "scary," and "scariest."
Checkstyle is another free, open source tool to check Java source code. The tool locates class design incompatibility, method design issues, and code layout and formatting mistakes. Checkstyle is found on Sourceforge and requires Java 1.8 to function. It is not backward compatible with older versions of Java.
To mitigate the limitations of a single code checking tool, Checkstyle is often combined with FindBugs and PMD for a more robust Java code review process.
SonarLint is another free open source Java code review tool that checks the code against standards to evaluate the code quality. This analyzer is adept at locating security vulnerabilities and provides reports to show duplicate code, complexity, and comparison with code standards. SonarQube is also versatile, offering compatibility with 26 programming languages other than Java.
SonarLint offers advanced user interface dashboards for ease of use and maintains records of code review analyses so developers can improve their Java code quality continuously.
The Graudit code review tool supports Java and other languages like Python, Perl, .NET, C, and PHP. It provides script and signature sets to help developers locate potential security vulnerabilities within Java code. In addition, the tool incorporates an extensive database of known flaws for comparison with the source code and calls out a positive match when the source code matches a database pattern. Graudit is found on Github and is maintained and updated regularly for maximum impact.
Graudit offers the ability for a user to add their database for analysis against the source code and compare multiple source code files at a time or just a single one. It is portable and flexible, offering a friendly user experience and lower technical and computational requirements than many other tools. This flexibility allows Graudit to run on most systems.
Snyk Code is a novel static Java code review tool that statistically analyzes Java source code for security vulnerabilities while the developer codes. This tool performs automated secure code reviews rapidly and reduces false positives in the process.
Snyk’s Static Application Security Test (SAST) tool is more efficient than other tools and uses semantic analysis to find more vulnerabilities sooner to accelerate code development. This enables development teams to shift security left without compromising on speed. Snyk also offers a free pricing option for teams looking to quickly and easily get started with SAST.
Austin based Biotechnology company Natera found that other SAST tools were limited by lengthy scan times and poor accuracy. Snyk Code, however, is designed to deliver efficient and actionable suggestions for vulnerability fixes as developers write code in their native interface prior to deployment.
“It was an easy decision to make. We looked at a few other tools, and I couldn’t find anything that gave us the same sort of scanning unless we had deployed or were in pre-deployment. There was just nothing that I could compare it to.”
Charlotte Townsley, Natera, Director, Security Engineering
Java is a critical and widely-used software development language. There are many options for Java code review tools, each with different specialties and strengths. The best way to significantly reduce review time is to implement a tool that leverages a comprehensive database of common code errors for comparison and uses a smart approach to optimize the review process.
Java code review tools FAQ
How do you review code in Java?
Like most coding languages, Java code can be reviewed first by a peer analysis and then a SAST analyzer. This combined approach ensures that the process scans the code for logic and intent and known errors and security threats. Java code reviews can be performed using existing open source static analysis tools. It is essential to know the types of mistakes potentially present in the source code (along with security vulnerabilities) to select the analyzer best suited to Java code. Once the analysis runs, the developer can review the output to determine which warnings to address and which to leave unchanged.
How do you automate java code reviews?
Once the Java code review team completes their work, the developer can send the code to an analysis platform for comparison with a known database of flaws. The Java automated code review tool also checks the source code for duplicate code and repeated flaws inherent in the script.
Visit our Security Resources page to learn about Snyk's options and tools to help developers create accurate, secure code. You can also try our free code checker tool, for a quick check on the security of your Java code.
How to find security vulnerabilities in source code
Learn tactical guidance for discovering and remediating source code vulnerabilities and the benefits of a SAST tool like Snyk Code.Keep reading