Introducing, DeepSource for Java

December 11, 2020

Introducing, DeepSource for Java

Java needs no introduction. It's been used world-wide by a majority of the software engineering world for a number of decades. As with all accessible languages, it's easy to make mistakes — even with experience — and mistakes cost time that could have been better spent.

Java has also been one of the most widely requested for languages for DeepSource, and it gives me great pleasure to announce the beta version of the Java analyzer. If you're using DeepSource to run continuous static analysis on your code, you can start using the analyzer in your projects right away.

Why should you care?

The ecosystem around the Java programming language has been quite rich and mature, and there exist a number of static analysis tools built by the community — like SpotBugs, Error Prone, among others. So why are we asking you to use DeepSource?

DeepSource builds on top of the innovation that has already been done by the community and makes the results of static analysis more accessible and actionable to you. We guarantee less than 5% of false-positives in the issues, help you run analysis continuously on every commit and pull-request with almost zero configuration, and make the overall experience of finding and fixing quality issues in your code more enjoyable.

In the beta release, the Java analyzer detects 170+ different types of issues including performance bugs, security risks, bug risks, and anti-patterns. This initial release brings support for Gradle Java projects. Just specify the Java version that your project uses when configuring the analyzer and you're good to go. It's really as simple as that!

In the future, we're adding support for Android and Maven soon, so keep an eye out! In addition, we are working on bringing Autofix support to the Java analyzer. This will let you fix reported bugs without writing a single line of code. Isn't that exciting? ✨

Some issues detected by the Java analyzer

As of the time this post was written, the Java analyzer can detect 173 different issues spanning performance issues, security issues, potential (or definite) bugs, and anti-patterns. These issues are covered from the popular SpotBugs tool. Here are a few examples:

Values that are guaranteed to be dereferenced while null
Nullable values that are used in a way that requires them to be non-null
Ignoring the return value of a function with a non-void return type
Self-assignment to a local variable instead of a field
Using Map.keySet() where Map.entrySet() could have been used

How to use the Java analyzer?

You can begin using the Java analyzer by adding an entry to the [[analyzers]] table in the .deepsource.toml file for your repo. Alternatively, just activate your Java repo from the DeepSource repository dashboard after using the configration generator. Head over to the docs for a full list of configuration options available.

Sample configuration


version = 1

[[analyzers]]
name = "java"
enabled = true

  [analyzers.meta]
  runtime_version = "11"

Give it a try and tell us what you think over on Twitter! If you have any questions, you can always reach out to us on the discuss forum or the DeepSource Users group. The DeepSource Java analyzer guarantees a false positive rate of less than 5%. If you ever find a false positive in an issue detected by the analyzer, please make sure to report it. We'll resolve it within the next 72 hours.