Static code analysis is the process of finding programming errors and bugs without executing code those were introduced during development. It also helps to check if code adheres to best practices and coding standards. All of the bugs found during analysis need not to be fixed.
Static code analysis is not a replacement to any form testing. This need to be performed by the developers during the development process, so that the number of bugs encountered with the actual testing process is lowered, thus lowering the over all application development costs.
Used effectively, static analysis is cheaper than other techniques for catching the same bugs. Earlier code analysis during development cycle helps saving lot of time by identifying potential problems with code and fixing it early, than finding them at later stages.
You can find detailed installation steps on Findbugs manual. I have tried to keep it short and easy to follow during installation and running Findbugs.
Prerequisite
To use Findbugs, you need JDK 1.5.0 or later. Findbugs is platform independent, and is known to run on GNU/Linux, Windows, and MacOS X platforms.
Download and install Apache Ant if you do not have installed on your system. You can find Ant installation steps here. Also make sure you have set JAVA_HOME and ANT_HOME.
You should have at least 512 MB of memory to use Findbugs. To analyze very large projects, more memory may be needed
Installing Findbugs
Download a binary distribution, available in gzipped tar format and zip format. Once you have downloaded a binary distribution, extract it into a directory of your choice.
For exmaple, C:\>Findbugs-1.3.9 This directory is Findbugs home directory.
Executing Findbugs
To execute findbug GUI goto C:\>Findbugs-1.3.9\bin and run Findbugs.bat You should also be able to run findbug GUI by clicking C:\>Findbugs-1.3.9\lib\Findbugs.jar
Findbug GUI will look like as shown below,
Using Findbugs UI
1. Creating a Project
After you have started Findbugs using the Findbugs command, choose the File → New Project menu item. You will see a dialog which looks like this:
Use the "Add" button next to the "Class archives and directories to analyze" text field to select a Java archive file (zip, jar, ear, or war file) or directory containing java classes to analyze for bugs. You may add multiple archives/directories.
You can also add the source directories which contain the source code for the Java archives you are analyzing. This will enable Findbugs to highlight the source code which contains a possible error. The source directories you add should be the roots of the Java package hierarchy. For example, if your application is contained in the org.foobar.myapp package, you should add the parent directory of the org directory to the source directory list for the project.
Another optional step is to add additional Jar files or directories as "Auxiliary classpath locations" entries. You should do this if the archives and directories you are analyzing have references to other classes which are not included in the analyzed archives/directories and are not in the standard runtime classpath. Some of the bug pattern detectors in Findbugs make use of class hierarchy information, so you will get more accurate results if the entire class hierarchy is available which Findbugs performs its analysis.
2. Running the Analysis
Once you have added all of the archives, directories, and source directories, click the "Finish" button to analyze the classes contained in the Jar files. Note that for a very large program on an older computer, this may take quite a while.
3. Browsing Results
When the analysis completes, you will see a screen like the following:
The upper left-hand pane of the window shows the bug tree; this is a hierarchical representation of all of the potential bugs detected in the analyzed Jar files.
When you select a particular bug instance in the top pane, you will see a description of the bug in the "Details" tab of the bottom pane. In addition, the source code pane on the upper-right will show the program source code where the potential bug occurs, if source is available. In the above example, the bug is a stream object that is not closed. The source code window highlights the line where the stream object is created.
You may add textual annotations to bug instances. To do so, type them into the text box just below the hierarchical view. You can type any information which you would like to record. When you load and save bug results files, the annotations are preserved.
4. Saving and Opening.
You may use the File → Save as... menu option to save your work. To save your work, including the jar file lists you specified and all bug results, choose "Findbugs analysis results (.xml)" from the drop-down list in the "Save as..." dialog. There are also options for saving just the jar file lists ("Findbugs project file (.fbp)") or just the results ("Findbugs analysis file (.fba)"). A saved file may be loaded with the File → Open... menu option.
I hope you find this post helpful. I will be editing this post to add steps to run Findbugs from command prompt and configure Fingbugs plug-ins into Ecplise.
