Since I wrote a review of JTest, I decided to do a review of the other commercial product I tried in the Java static analysis family – Klocwork
Installation
I ran into some trouble installing the trial Eclipse plugin. I saw a zip file to use instead of the update site. I then unzipped it rather than pointing to it as a local install. Which appears to work – you see klockwork show up in the Eclipse preferences, but get an error when trying to actually use it.
This gave me the opportunity to deal with their tech support. Which was very good – they identified the problem correctly and told me to re-install properly.
Trial limitations
The trial limits you to scanning 300 files at a time. This is perfectly reasonable – I can’t think of a reason you’d need to do more than that to see if you like a product. I wanted to scan the same files as I had with JTest to compare output.
Since our product has more than 300 files, I thought I would just pick a few packages or classes with known issues. I then learned they mean you can’t scan a project with more than 300 files rather than that you can’t scan more than 300 files. Okay. I used an Eclipse refactoring to move a bunch of packages to another project. I’m not sure what this accomplished via the limit in the trial. I was still able to scan everything.
The actual rules
In addition to the common static analysis rules (null ahndling, return values), some more interesting rules jumped out at me. These include:
- Log forging – unvalidated input going into a log allows attacker to influence what logged
- If statement always evaluates to true/false – I like this was in the default rule configuration.
- Unchecked user input used in SQL query. – It’s not user input in our case, but a very good check to get you to manually review the code.
Summary
I also liked the minimizing of false positives. Aside from my installation difficulties, I was very happy with the experience.