Is SonarQube Replacement for Checkstyle, PMD, FindBugs?

sonarqube static-analysis checkstyle findbugs pmd
75,098

Solution 1

Sonar will run CheckStyle, FindBugs and PMD, as well as a few other "plugins" such as Cobertura (code coverage) by default for Java projects. The main added value, however, is that it stores the history in a database. You can then see the trend. Are you improving the code base or are you doing the opposite? Only a tool with memory can tell you that.

You should run Sonar in your CI system so that even things that take some time to execute (such as CPD – copy paste detector) can run. And you'll have your history. Whereas with an Eclipse plugin, for example, you'll detect violations sooner – which is great – but you will be tempted to run it less often if it starts taking too long, or run less "quality plugins" (such as skipping CPD or skipping code coverage analysis). And you won't have history.

Also, Sonar generates visual reports, "Dashboard" style. Which makes it very easy to grasp. With Sonar in Jenkins, you'll be able to show developers and your management the effects of the work that was performed on the quality of the code base over the last few weeks and months.

Solution 2

Sonar uses these 3 tools as plugins and aggregates the data from all three giving addition value by showing graphs and such from these tools. So they are complementary to sonar.

Solution 3

Yes and no. In addition to the other answers.

SonarQube is currently on the way to deprecate PMD, Checkstyle and Findbugs and use their own technology to analyze Java code (called SonarJava). They do it, because they don't want to spend their time fixing, upgrading (or waiting on it) those libraries (e.g. for Java 8), which for example uses outdated libraries.

They also got a new set of plugins for your personal IDE called SonarLint.

Solution 4

Sonar is great, but if you want to use the mentioned tools separately and still have nice graphs, you can use the Analysis Collector Plugin as part of your Jenkins CI build. A slight advantage of this is that you can check in your PMD/Findbugs/Checkstyle configuration into your SCM and have it integrated into your Maven build, rather than relying on a separate Sonar server.

Solution 5

... a few years later: no, it is not! SonarQube supposes to be able to cover all the rules with its own analyzer, but there are still rules from PMD or CheckStyle not covered by SonarQube. See for example: PMD ReturnFromFinallyBlock.

Share:
75,098

Related videos on Youtube

Johnny
Author by

Johnny

Updated on July 08, 2022

Comments

  • Johnny
    Johnny almost 2 years

    We are working on a web project from scratch and are looking at the following static code analysis tools.

    • Conventions (Checkstyle)
    • Bad practices (PMD)
    • Potential bugs (FindBugs)

    The project is built on Maven. Instead of using multiple tools for the purpose, I was looking at a single flexible solution and came across SonarQube.

    Is it true that we can achieve the results from Checkstyle, PMD and Findbugs with SonarQube?

  • haylem
    haylem over 10 years
    while this was true up to version 3.x, Sonar 4.x is moving away from using at least PMD and CheckStyle in favor of its own internal Squid analyzer, because it gives them more freedom to extend the ruleset and fix issues that have been plaguing these projects for a while. For instance, they've already deprecated more than 150 PMD rules, and will eventually remove it entirely.
  • Jhack
    Jhack over 9 years
    Interesting post about the reason they deprecated those rules: sonarqube.org/… .
  • user7294900
    user7294900 over 5 years
    It seems also missing PMD Violation : Use explicit scoping instead of the default package private level?
  • Christian Hujer
    Christian Hujer over 4 years
    I agree with these benefits in the context of brown-field projects. Greenfield projects with zero-defect policies do not need that memory. Just keep your code base clean 100% all the time.
  • Petr Bodnár
    Petr Bodnár about 4 years
    Nope. The rules are named differently, but they are present: Jump statements should not occur in "finally" blocks and Member variable visibility should be specified.
  • Christophe Roussy
    Christophe Roussy about 3 years
    You can also run SpotBugs and co from Maven and even tell it to fail the build if there are errors (or more than N errors ...).
  • HellishHeat
    HellishHeat over 2 years
    @haylem, do you have a reference for this, e.g. a link that I can use to find this information?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to export FindBugs/PMD/Checkstyle rules from Sonar and import into Netbeans
Checkstyle vs. PMD
What are the differences between PMD and FindBugs?
Honoring @SuppressWarnings with the sonar checkstyle plugin
Can SonarQube be used as a Static Application Security Testing (SAST) tool?
A "NullPointerException" could be thrown; "context" is nullable here
checkstyle + suppression filters
Any open-source software that is similar to Fortify?
Check Style Indentation violation - 'public' have incorrect indentation level 4, expected level should be 8
What is NPath Complexity and how to avoid it?