Table Of Contents
Code Quality
The Tools
Spotless
SpotBugs
PMD
Putting It Together
Links
The best tool for the job isn’t always the best tool you have available.
Engineering teams are often have the build vs. buy conversation. Do we want to “buy” an off-the-shelf tool to solve our problem or do we want to build it in-house? The conversation is usually for complex engineering solutions, but this time we’re talking about code quality tools.
Code Quality
I think code quality is more about standardizing practices across a team than writing “clean code”. Everyone has their own conceptions of best practices, so using code quality tools like linters, and static analysis tools standardize practices across teams. Even better, they can be integrated to the pull request, and CI/CD process to automate the practice of “code quality” – letting developers focus on reviewing the business logic of code changes.
You get a few benefits of integrating automated code quality tools in your projects:
Standardized (and automated) best practices
Easier onboarding of new team members coming from different tech stacks
Evangelize good practices across the codebase
The Tools
SonarQube is one of the most common off-the-shelf code quality solutions, but I’m going to highlight 3 open source java plugins for “good enough” code quality in your Java projects: Spotless, SpotBugs, and PMD
Spotless
Spotless is an open-source, multi-language, customizable code formatter for projects.
It comes with a Maven Plugin that can be customized as needed.
Here’s an example of what it would look like. Spotless comes with some built-in formats. In this example, we specify we want to use Palantir’s Java formatting rules:
<!– https://github.com/diffplug/spotless –>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>${spotless.version}</version>
<configuration>
<java>
<!– Tell Spotless to Use Palantir’s Custom Java Format–>
<palantirJavaFormat>
<version>2.39.0</version>
<!– optional –>
<style>PALANTIR</style>
<!– or AOSP/GOOGLE (optional) –>
<formatJavadoc>false</formatJavadoc>
<!– defaults to false (optional, requires at least Palantir 2.39.0) –>
</palantirJavaFormat>
</java>
</configuration>
</plugin>
Once the plugin is added to the pom, you can check for formatting issues with:
Or format your code with:
SpotBugs
SpotBugs is an open source static anlysis tool. “SpotBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns.” This means that SpotBugs runs against the compiled source source code, rather than raw Java files. Because it analyses bytecode, it can catch some types of bugs that source code analysis would not catch.
SpotBugs provides a maven plugin for easy usage. Here’s what it would look like in a pom.xml:
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.8.4.0</version>
<configuration>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.12.0</version>
</plugin>
</plugins>
</configuration>
</plugin>
Once added, you can run SpotBugs from the command line. I’ve include mvn clean compile because you want to ensure you’ve compiled the latest version of your code.
It also comes with a nice GUI if you want an easy way to know which classes have issues.
mvn clean compile spotbugs:spotbugs
mvn clean compile spotbugs:check
If you want to suppress a SpotBugs Warning, you can use the @SuppressFBWarnings annotation with the SpotBugs errors as a parameter(s)
public class MyClassWithSpotBugsWarnings {
// …
}
SpotBugs will not automatically fix any errors it finds. It’s up to the developer to decide if it’s findings warrant code changes.
PMD
PMD is a source code static analysis tool. It inspects your Java files for any issues, and has a configurable set of rules
to look at.
PMD provides a maven plugin to easily setup rules you care about. Here’s what it
would look like in a pom.xml
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.22.0</version>
<!– Link to a custom ruleset file for rules we care about –>
<configuration>
<rulesets>
<ruleset>src/main/resources/pmd/custom-ruleset.xml</ruleset>
</rulesets>
<excludes>
<exclude>**/test/**</exclude>
</excludes>
</configuration>
</plugin>
You can find a list of availble rules on the docs site and include/exclude them as needed.
Once added to the pom.xml, you can run PMD:
mvn pmd:pmd
mvn pmd:check
If you want to suppress a PMD violation you can do it like so:
public class MyClassWithPMDViolations {
// Your code here
}
Like SpotBugs, PMD will not automatically fix issues. It’s up to the developer to decide if violations warrant changes, or ignore them.
Putting it together
Together these tools give you linting and static analysis that you can customize to your needs.
If you want to see a sample of them in action, you can find a sample maven project I made, complete with fully configured pom.xml file here:
https://github.com/jpowell96/j-codequality-starter
Links
Sample Project
Spotless Github
SpotBugs Main Page
SpotBugs Maven Plugin Docs
PMD Main Page
PMD Java Rules
PMD Maven Plugin Docs