Scan2Fix4Java product
Scan2FixJava the java source code analyzer
Cart
product
(empty)
Categories
Fonctionalities
- analysis of java source code
- detects violation of developpement rules, respect of security rules (local to 1 file, and for the entiere application)
- autonomous tool
Integration in development and production environments
- Sonar provides a multi views dashboard :
- continous integration (jenkins for ex)
- source code + unit test (Sonar and Scan2Fix 4CSharp or 4Php or 4VB6 or 4Java)
- production supervision (IIS logs Scan2Fix4Iis, Windows Stack trace Scan2Fix4Stt)
- web site qualityaudit (Scan2Fix4Aspx)
- Sonar Web Server is accessible for all technical actors (developers, project managers, Web integrators, production)
- Generation of static Html reports : standalone and publishable
Quick and simple installation
- during the command process, provide the sonar server hostname
- install a java jre
- install maven 2 or 3
- install Sonar (any version)
- copy the plugin (the download link is provided during the commande process) in SONAR_HOME/extensions/plugins
- restart the Sonar server
- under admin / Profiles, activate all the rules in the profile "Default Java Profile")
- start a Java scan and the violations appear in the Sonar dashboard
Example of pom.xml file
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>com.qualitesys.wsqualitychecker</groupId>
- <artifactId>tfs_MEL_2012_06_19_java</artifactId>
- <version>2012_06_19_01</version>
- <name>tfs_MEL_2012_06_19_java</name>
- <properties>
- <sonar.language>java</sonar.language>
- <sonar.global>true</sonar.global>
- </properties>
- <pluginRepositories>
- <pluginRepository>
- <id>QualityChecker remote repository</id>
- <url>http://www.qualitesys.com/mavenrepository/</url>
- </pluginRepository>
- </pluginRepositories>
- <build>
- <!-- OBLIGATOIRE -->
- <sourceDirectory>C:your_dir_to_source_code</sourceDirectory>
- <plugins>
- <plugin>
- <groupId>com.qualitesys.maven.plugins</groupId>
- <artifactId>qcr-maven-plugin</artifactId>
- <executions>
- <execution>
- <id>PhaseCleanGoalqcrgoalclean</id>
- <phase>clean</phase>
- <goals>
- <goal>qcrgoalclean</goal>
- </goals>
- </execution>
- <execution>
- <id>PhaseCompileGoalqcrgoalcompile</id>
- <phase>compile</phase>
- <goals>
- <goal>qcrgoalcompile</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-site-plugin</artifactId>
- <version>3.0-beta-3</version>
- <configuration>
- <reportPlugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-project-info-reports-plugin</artifactId>
- <version>2.2</version>
- </plugin>
- <plugin>
- <groupId>com.qualitesys.maven.plugins</groupId>
- <artifactId>qcr-maven-plugin</artifactId>
- </plugin>
- </reportPlugins>
- </configuration>
- </plugin>
- </plugins>
- </build>
</project>
Example with Maven only
Nota : the plugin for Sonar is not required. Usage is limited to 5 days.
mvn clean compile site
Maven will generate the static Web site under target/site/index.html
Example with Maven and Sonar
Nota : the plugin for Sonar is not required. It is provided at the validation step of the command process or on explicit request (contact@qualitesys.com).
mvn clean qcr:qcrgoalclean qcr:qcrgoalcompile compile sonar:sonar
Violations dictionary
| Id | Priority | Description |
|---|---|---|
| QC-JAVCWE078 | BLOCKER | Potential OS command injection |
| QC-JAVCWE080 | BLOCKER | Potential Basic XSS |
| QC-JAVCWE089 | BLOCKER | Potential SQL Injection |
| QC-JAVCWE369 | BLOCKER | Division by ZERO |
| QC-JAVCWE412 | BLOCKER | Unrestricted lock of critical ressource, deadlock |
| QC-JAVCWE470 | BLOCKER | Use of externally-controlled (unsafe reflection) |
| QC-JAVCWE572 | BLOCKER | Call to Thread run() instead of start() |
| QC-JAV999999 | BLOCKER | Syntax analysis failure on the source code |
| QC-JAVCWE096 | CRITICAL | Insufficient control of directives in statically saved code |
| QC-JAVCWE476 | CRITICAL | Null pointer reference |
| QC-JAVCWE484 | CRITICAL | Omitted Break Statement in Switch |
| QC-JAVCWE570 | CRITICAL | Condition NEVER true |
| QC-JAVCWE616 | CRITICAL | Incomplete identification of uploaded file |
| QC-JAVCWE190 | MAJOR | Overflow |
| QC-JAVCWE390 | MAJOR | Detection of error condition without action |
| QC-JAVCWE392 | MAJOR | Failure to report error in status code |
| QC-JAVCWE481 | MAJOR | Assigning instead of comparing |
| QC-JAVCWE493 | MAJOR | Critical public variable without final modifier |
| QC-JAVCWE584 | MAJOR | Return inside finally block |
| QC-JAV000001 | MAJOR | Instance is created within a loop, huge performance impact |
| QC-JAVCWE252 | MINOR | Return type of function is not tested |
| QC-JAVCWE500 | MINOR | Static public field not marked final |
| QC-JAVCWE582 | MINOR | Array declared public, final and static |
| QC-JAVCWE585 | MINOR | The software contains an empty synchronized block |
| QC-JAVCWE626 | MINOR | Null byte interaction error |
| QC-JAVCWE627 | MINOR | Dynamic variable evaluation for variable |
| QC-JAV999996 | INFO | Local Cut and Paste Detector in single file |
Example of Open Source projects
The H2 project
Url home page : www.h2database.com
Result of the analysis of the java code : site.rar
The Jenkins project
Url home page : jenkins-ci.org
Result of the analysis of the java code : site.rar
- Sonar compatibility Sonar 3.0 to 4.1.2
- Maven compatibility maven 2&3
* required fields