Java quality management with Sonar

Quality of software projects is a huge topic and most of the time is focused around management of the project: agile, change management, etc. An area of equal importance is code quality. For most programming languages a QM product is available. SAP with ABAP comes with code quality tools, and because Java has an enormous eco system, Java also does have a wide range of code quality tools available. From the several (commercial) tools available, let me show how an open source one can be used for SAP Java projects: Sonar.

Sonar is a server application that allows for a central code quality analysis. The primary focus is Java, several plugins exists that allow analyzing different languages. From the obvious ones like JSP and Javascript, ABAP is also available (commercial). With the main focus on Java, Sonar comes with Eclipse IDE plugins to really enable productivity for developers. How does Sonar look like?

Overview of one project

Drill down into a severity area

Drill down into source code

From an overview page a developer can drill down to the class to the actual source code where an issue is identified. As Sonar is a central server with permission control, a hierarchy and roles can be established like project owner, senior developer, developer, clients. Everybody can access the project and see or give feedback of the status and identified issues. Sonar can be used to established code guidelines in a project / company, help the developers to produce better and standardized code and used to show to the customer the quality of the code.

The analysis of the code can be done by looking at the plain source code and use rules to identify violations of pre-defined best practices or by a more advanced analysis of the binary code. For the later findbugs is used. This gives more control over possible bugs that normally only will be discovered during runtime. As runtime means that the project has to be deployed, started and executed, any bug found by findbugs helps saving time. To make findbugs work, Sonar has to know where to find all the classes referenced in the byte code. If the class files are not available, the analysis won’t be executed.

Run the analysis by using the source code on a PAR file for SAP Portal

Looks good, as no blocker or critical error is found. That code shouldn’t throw an exception when executed. Analyzing the same code with a different profile: findbugs.

Compared to the source code analysis, findbugs now shows 2 blockers and 2 critical bugs. Unlikely that the program won`t crash when executed.

To show what findbugs do I prepared a rather simple example. The code simply will do a cast that cannot work:

Findbugs is able to find this out and correctly report an impossible cast. It even shows what I try to do: cast from Integer to String. Depending where this kind of cast is hidden in the source code, maybe only a really profound testing would have shown the error, maybe only in production.

Web Dynpro Java

To see how findbugs works with Web Dynpro Java I wrote a really simple WDJ application. Web Dynpro Java program analyzed, only the source code:

The issues found are more or less caused by the code generator of WDJ.

Most of these issues can be resolved my naming variables, methods, etc differently and by SAP looking at the code generator. Now with findbugs:

The dead store issue may or not be an error of the developer (or javac). Because I prepared the code, I know that the error stems from a coding error. In the view a value node with cardinality 0..n was created. Without initialization of the node this throws a NullPointerException during runtime. Changing the cardinality to 1..n and running Sonar again:

In that case, Sonar helped to identify an error that only can be discovered after deploying the WDJ application. As that kind of error immediately occurs when the user is accessing the view and thus ending the test case, Sonar helps to resolve these kinds of errors faster.

Sonar is for Java, but SAP interpreted Java sometimes in an interesting way; think of Web Dynpro Java. As shown, Sonar can be used to analyze all kinds of SAP Java projects. WDJ produces in the end . java and .class files, portal applications are Java projects and so is the rest of Java projects (like PI). While ABAP comes with a code inspector (you are using, right?), there is no such solution from SAP for Java. If you want to get started with code quality management in Java for SAP, there are several solutions for Java available. To get started you can try Sonar.

What is needed are accelerators, guidelines and plugins from SAP for their specific Java project types. That would really make a difference for Java developers.