Language Guides

Java Static Code Analysis: A Developer's Guide

A practical guide to static code analysis for Java — the leading tools, common vulnerability patterns detected, and how to build analysis into your Maven or Gradle build.

By the Hyrax team·5 min read·May 1, 2026
TL;DR
  1. 1.Java and Static Analysis
  2. 2.Key Java Static Analysis Tools
  3. 3.Common Issues Detected
  4. 4.Running Static Analysis
  5. 5.Connection to Autonomous Code Governance

Java and Static Analysis

Java has one of the richest static analysis ecosystems of any language. As a statically typed, compiled language, Java's type system provides a foundation that static analysis tools can build on — enabling deep analysis of null safety, concurrency, and security vulnerabilities with high accuracy.

Java's prevalence in enterprise applications, financial systems, and Android development makes security analysis especially critical. Many of the most significant enterprise application vulnerabilities — SQL injection, deserialization attacks, XXE — have well-defined detection patterns in Java static analysis tools.

Key Java Static Analysis Tools

SpotBugs (formerly FindBugs)

The most widely used Java static analysis tool. Detects bug patterns including null pointer dereferences, concurrency issues, bad practices, and security vulnerabilities. The FindSecBugs plugin extends SpotBugs with security-specific rules for OWASP Top 10 vulnerabilities. Essential for any Java security workflow.

PMD

Analyzes Java (and other JVM languages) for code style, design issues, and best practice violations. PMD's CPD (Copy-Paste Detector) identifies code duplication. Strong rule set for complexity, naming, and unnecessary code.

Checkstyle

Focuses on code style and formatting consistency. Enforces Google Java Style Guide or Sun Code Conventions. Less about bugs, more about code uniformity. Best run alongside SpotBugs and PMD.

SonarQube / SonarLint

A comprehensive platform that aggregates multiple analysis approaches and provides a dashboard view of code quality and security. SonarQube runs server-side for CI/CD; SonarLint is the IDE plugin. SonarQube's "Security Hotspots" surface patterns that need manual review even when they cannot be definitively classified as vulnerabilities.

Error Prone

Google's Java compiler plugin that detects common errors at compile time. Unlike post-compilation tools, Error Prone runs as part of the compilation step. Detects issues like equals/hashCode contract violations, boxing issues, and common API misuse patterns.

Common Issues Detected

  • Null pointer dereferences (NPE risks)
  • SQL injection via string concatenation
  • Deserialization of untrusted data
  • XXE (XML External Entity) injection
  • Path traversal vulnerabilities
  • Hardcoded credentials and secrets
  • Weak cryptographic algorithms (MD5, SHA1, DES)
  • Concurrency issues: double-checked locking, unsynchronized access to shared state
  • Resource leaks: streams, connections, and other Closeable objects not properly closed
  • EJB and Spring-specific anti-patterns

Running Static Analysis

Maven integration:

  1. Add SpotBugs Maven Plugin: mvn spotbugs:check
  2. Add FindSecBugs plugin to SpotBugs configuration
  3. Add PMD Maven Plugin: mvn pmd:check
  4. Configure Checkstyle: mvn checkstyle:check
  5. Set <failOnError>true</failOnError> to fail builds on findings

Gradle integration: apply the SpotBugs Gradle Plugin, PMD plugin, and Checkstyle plugin in build.gradle. Configure findbugsMain and findbugsTest tasks.

Connection to Autonomous Code Governance

Java's strong type system makes autonomous remediation highly accurate. When SpotBugs or FindSecBugs identify a SQL injection pattern, the type information in the AST provides clear context for generating a correct parameterized query fix. Hydra integrates Java static analysis findings — from SpotBugs, PMD, and SonarQube — into its remediation pipeline, generating fixes that are verified to compile, pass existing tests, and resolve the finding.

Frequently Asked Questions

What is the difference between SpotBugs and PMD?

SpotBugs analyzes Java bytecode (the compiled class files) to detect bug patterns, including concurrency issues and security vulnerabilities that require understanding of object lifetimes. PMD analyzes Java source code for style violations, design issues, and unnecessary complexity. They are complementary and most Java projects run both.

What is FindSecBugs?

FindSecBugs is a SpotBugs plugin that adds security-specific rules covering OWASP Top 10 vulnerabilities in Java: SQL injection, XSS, insecure deserialization, XXE, SSRF, command injection, and more. It is a standard addition to any Java security analysis pipeline.

How do I fix a Java SQL injection finding?

Replace string concatenation for SQL queries with PreparedStatements (JDBC) or parameterized queries (JPA/Hibernate named parameters). Never concatenate user input into SQL strings. FindSecBugs and SpotBugs will flag the injection pattern; the fix is to use the parameterized API instead.

What is Java deserialization vulnerability?

Java's native serialization mechanism (ObjectInputStream.readObject) can be exploited to execute arbitrary code when deserializing untrusted data. This is one of the most serious Java vulnerability classes (exploited by the Apache Commons Collections gadget chains). Static analysis detects ObjectInputStream usage with unsanitized input; the fix is to use a safe deserialization alternative or allowlist deserialization.

Stop flagging. Start fixing.

Hyrax reviews your pull requests, remediates issues autonomously, and closes the ticket.

Join the waitlist