Java static analysis

Java L1 uses three complementary skills from style through bytecode semantics.

Skill	Axis	One-liner
checkstyle	Style	Layout + naming (Google Java Style / Sun)
pmd	Rules	Suspicious patterns (dead code, complexity, bad catches)
spotbugs	Bytecode bugs	JVM-level defects + FindSecBugs

checkstyle

Role: Java style & convention enforcement.

Area	Examples
Naming	Classes PascalCase, methods camelCase, constants UPPER_SNAKE
Layout	Indentation, whitespace, brace placement
Imports	Order, groups, no star imports
Javadoc	Public API coverage
Size	Line length ≤120, method length caps

Common configs: Google Java Style, Sun conventions, corporate custom via standards-converter.

Triggers: “Java style check”, “run checkstyle”, “Google Java Style”

Role: Suspicious constructs—not syntax failures, usually bug incubators.

Theme	Examples
Dead code	Unreachable branches, unused vars
Complexity	High cyclomatic depth, nesting
Exception smells	Empty `catch (Exception)` blocks
Concurrency misuses	Legacy `Vector`/`Hashtable` traps
Security smells	Dangerous reflection, missing SecurityManager configs

Rule packs: basic, codesize, design, naming, optimizations, strictexception, …

Triggers: “code smells”, “PMD scan”, “cyclomatic complexity”

Role: Bytecode-level bug detection—sees what the compiler actually emits.

Area	Examples
Null derefs	Reachable NPE paths
Resource hygiene	Streams / JDBC left open
Concurrency bugs	Unsafe static mutation
Serialization pitfalls	Non-serializable fields
OWASP	FindSecBugs (SQLi / XSS / SSRF hints)

pmd vs spotbugs

Aspect	pmd	spotbugs
IR	Source AST	Bytecode
Strength	Lint-level smells	Deeper correctness + security

Triggers: “Java defect scan”, “spotbugs”, “FindSecBugs security”

checkstyle   → style baseline
pmd          → smell detection
spotbugs     → bytecode + security

Feeds unified CodeEvidence into code-review.

Use standards-converter to turn “enterprise coding standard.md” into checkstyle.xml, pmd-ruleset.xml, spotbugs filters.