Static Code Analysis Plug-ins

New homepage
The static code analysis plug-ins are being maintained by their owner from a new home. The plug-ins are still compatible with Hudson, however, the entry points for documentation and issue reporting have been combined in order to provide a single point of entry.


Plugin Information

Plugin ID analysis-core
Latest Release 1.49-h-1
Latest Release Date Mar 5, 2013
Sources Github
Support Eclipse Hudson Forum
Issue Tracking Eclipse Bugzilla

This plug-in provides utilities for the static code analysis plug-ins.Hudson understands the result files of several static code analysis tools. For each result file a different plug-in is used for configuration and parsing.Since these results are visualized by the same back-end, the description of this back-end is combined in this section. The following plug-ins use the same visualization:

Installation Requirements
All these plug-ins require this utility plug-in "analysis-core" (called "Static Code Analysis Plugins" in the update manager) as dependency. Please ensure that the latest version of this utility plug-in is also installed.

Additionally the add-on plug-in Static Analysis Collector is available that combines the individual results of these plug-ins into a single trend graph and view.

The following features are provided by these plug-ins:

  • Build summary showing the new and fixed warnings of a build
  • Several trend reports showing the number of warnings per build
  • Several portlets for the Hudson dashboard view
  • Overview of the found warnings per module, package, category, or type
  • Detail reports of the found warnings optionally filtered by severity (or new and fixed)
  • Colored HTML display of the corresponding source file and warning lines
  • Several failure thresholds to mark a build as unstable or failed
  • Configurable project health support
  • Highscore computation for builds without warnings and successful builds
  • Works with the freestyle and native m2 build option of Hudson
  • Remote API to export the build quality and found warnings

You can see these plug-ins in action in the public Hudson instance of the analysis plug-ins.

Trend Graphs

There are several trend graphs available for the plug-ins. Currently, you can select one of the following trend graphs for a job:

  • Total warnings per build including the distribution of the priorities low, normal, and high in different colors.
       
  • Total warnings per build showing how many warnings are below (blue), in between (yellow), or above (red) the build health thresholds.
       
  •  New and fixed warnings per build, fixed in blue, and new in red.
       
  • Difference between new and fixed warnings per build (cumulative).
       

You can adjust the size of graph and the number of builds to include. These graphs can be configured globally for a job and can be changed by each user.

Portlets for the dashboard view

The following portlets for the dashboard view are available:

  • The number of warnings per project (total, priority high, priority normal, priority low)
       
  • Trend graph with number of warnings in the selected projects (with priority distribution)
       
  • Trend graph with number of new and fixed warnings in the selected projects
       

Build Summary

The results for each build are summarized on the build view. Here you see how may warnings or open tasks have been found for the selected build. Moreover, the summary shows the number of new and fixed warnings as well as the number of scanned or parsed files. The details views for each plug-in are accessible via hyper links. You can also directly navigate to the plug-in results by clicking into the trend image (see image above).

Result Overview

Each plug-in presents the results of a build in several overview tabs: here you see the number of the warnings or tasks per item as well as the severity distribution. The severity graphs provide a tool tip to show the actual number of warnings or tasks for each severity. By following the link in the first overview table column you will be directed to the filtered details of the selection. The overview table is sortable, so you can easily find the modules or packages with the most warnings by clicking on the table header.

  • The modules tab shows the number of warnings or open tasks per module. The module name is extracted from the pom.xml (Maven) or build.xml (Ant) build configuration files. If you are using another build tool then the path segment above the scanned analysis report file is used as module name.
  • The packages tab shows the number of warnings or open tasks per package or namespace. There is currently only support for Java or C# files.
  • The files tab shows the number of warnings or open tasks per file.
  • The categories tab shows the number of warnings per category. The available set of categories is obtained from the underlying static code analysis tool.
  • The type tab shows the number of warnings per type. The type depends on the static code analysis tool but typically is a 1:1 mapping to the actual rule that produced the warning.


The overview tabs for packages, files, categories and types are equivalent, click on the thumbnails below to view a screenshot of these tabs.

Package Overview Files Overview
Category Overview Types Overview

Result Details

The details of the individual warnings are shown in the remaining tabs. In the Details tab you will see all warnings of the current selection (e.g., a given package) printed one after another. For each warning you will see the warning message and a detailed description (with example) of the static analysis tool. If you are viewing the results of the current build then the file names are hyperlinks: clicking on the file name will open the actual source code with the selected warning highlighted.

 

The detail tabs in the other plug-ins are equivalent, click on the thumbnails below to view a screenshot of these tabs.

Checkstyle PMD
Warnings Dry

Besides this details tab there are additional tabs that show the details for a filtered sub-set of the warnings or tasks. I.e., the tabs high, normal, and low show the details of the selected severity, while the tabs new and fixed show warnings in the current build that are new or fixed, respectively.

Finally, the tab Warnings shows a sortable table of all warnings. Here you can sort the warnings by all available attributes to decide which warnings should be looked at in more detail. The warning message and description is shown when hoovering over the cell content.

Source Code Visualization

The actual warning is visualized in the source code view (with syntax highlighting).  Some warnings have several source code markers attached. In this case, the primary range of the warnings is colored with orange, the remaining ranges are colored with yellow. When hoovering over a colored warning annotation, then the warning message and detailed description is shown in a tool tip.


Remote API

All plug-ins also do have a remote API to obtain information on the quality of the current build. You can use the following commands, the variable [Plugin-URL] needs to be replaced with the URL of the plug-in, e.g., checkstyle, findbugs, tasks, etc. :

  • ...job/[Job-Name]/[Build-Number]/[Plugin-URL]Result/api/xml?depth=0 will return only the build results:
<analysisResult>
  <newZeroWarningsHighScore>false</newZeroWarningsHighScore>
  <numberOfFixedWarnings>40</numberOfFixedWarnings>
  <numberOfNewWarnings>40</numberOfNewWarnings>
  <numberOfWarnings>95</numberOfWarnings>
  <warningsDelta>0</warningsDelta>
  <zeroWarningsHighScore>0</zeroWarningsHighScore>
  <zeroWarningsSinceBuild>0</zeroWarningsSinceBuild>
  <zeroWarningsSinceDate>0</zeroWarningsSinceDate>
</analysisResult>
  • ...job/[Job-Name]/[Build-Number]/[Plugin-URL]Result/api/xml?depth=1 will additionally return the current (and new) warnings:
<analysisResult>
  <newZeroWarningsHighScore>false</newZeroWarningsHighScore>
  <numberOfFixedWarnings>40</numberOfFixedWarnings>
  <numberOfNewWarnings>40</numberOfNewWarnings>
  <numberOfWarnings>95</numberOfWarnings>
  <warning>
    <fileName>checkstyle/src/main/java/hudson/plugins/checkstyle/CheckStyleResult.java
    </fileName>
    <message>The String literal "</li>" appears 5 times in this
      file; the first occurrence is on line 62.</message>
    <primaryLineNumber>62</primaryLineNumber>
    <priority>NORMAL</priority>
  </warning>
  <warningsDelta>0</warningsDelta>
  <zeroWarningsHighScore>0</zeroWarningsHighScore>
  <zeroWarningsSinceBuild>0</zeroWarningsSinceBuild>
  <zeroWarningsSinceDate>0</zeroWarningsSinceDate>
</analysisResult>

Maven Notes

These plug-ins normally get built in the site phase, not in the 'normal' package phase. The hudson configuration help for the plugin specifies which goal you'll have to add to your maven build options a bit further up on the same page.

Labels:

plugin-report plugin-report Delete
plugin-maven plugin-maven Delete
tier3-compat-plugin tier3-compat-plugin Delete
supports-dashboard-view supports-dashboard-view Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.
  1. Nov 20, 2009

    Pascal Gelinas says:

    I've just started using these plug-ins for our build process and I've been wonde...

    I've just started using these plug-ins for our build process and I've been wondering if there is a way to aggregate the reports in an upstream project, just like the "Aggregate test report" does.

    I have a build configuration like this one: Project A is upstream and Project B and C are downstream of A. Project A is like the real project where B and C are sub-modules. Project A doesn't really have any source code or tests, it just polls the SCM and launch the build for B and C, then aggregate their test result. I'd like to do the same for the reports generated by the static analyzer but I haven't found a way to do it yet. Any ideas?

    1. Nov 30, 2009

      Ulli Hafner says:

      This option is only available for multi-module m2 projects.

      This option is only available for multi-module m2 projects.

      1. Jan 27, 2010

        Michel Nolard says:

        Shouldn't it be quite straightforward to use the downstream project list as if i...

        Shouldn't it be quite straightforward to use the downstream project list as if it was a maven2 multi-module list ? Maybe I am wrong thinking it is simple _and_ easy so I'm waiting for your advice.

        Wouldn't it be wonderful to offer that feature to people out there who are not using maven ? Some developer cannot use maven simply because :

         - they are working on huge "legacy" systems,

         - they have not enough time/money/people/knowledge/self-confidence to actually do the migration,

         - some work in companies whose standards do not include maven,

         - they use another similar tool already like Apache Ivy,

        ...

        Maybe _you_ are lucky, but it is not everybody's case.

        Thank you for reconsidering your point of view for one second at least.

        1. Jan 27, 2010

          Ulli Hafner says:

          Yes, it shouldn't be too complicated to aggregate the results. I just meant that...

          Yes, it shouldn't be too complicated to aggregate the results. I just meant that the support is automatically available for maven projects. For freestyle projects the support needs to implemented. So the best thing would be to open a feature request in our issue tracker.

  2. Feb 03, 2010

    Jasper Li says:

    Hi, I'm working on extension of another parser for warning plug-in. My parser c...

    Hi,

    I'm working on extension of another parser for warning plug-in. My parser could provide detailed information of multiple source code in a single warning.

    But how to hyperlink and highlight all of these source code lines in details tab?

    But class Warning could only be initialize by only one file name and line number, and it's hyperlink is like ....../107/warningsResult/source.43/#425

    How could I hyperlink and highlight multiple source code lines or multiple files like example picture in this page?

    Thanks!

    1. Feb 03, 2010

      Jasper Li says:

      Furthermore, how to format and paragragh text in detail tab?

      Furthermore, how to format and paragragh text in detail tab?

  3. Feb 08, 2010

    Sarita Tripathy says:

    I am seeing the issue, that when I look at a build it says something like 41 ne...

    I am seeing the issue, that when I look at a build it says something like 41 new warnings, and 38 fixed warnings, but if I click on the it takes me to a page which contains actually 0 issues, total 0, to high low and all other category fixes 0. In effect the whole build might have only a couple of extra issues in the build, but this seeing so many fixed and new confuses the developers, and they are not sure whats wrong and which one is actually new.

    Is anybody else experiencing this problem ? I am getting same unusual numbers for the Duplicate Code checker, and the Checkstyle always says all warning are new.

    We are on Hudson 1.344,

    Static Analysis Utilities 1.3

    Checkstyle Plug-in 3.2

    Duplicate Code Scanner Plug-in 2.2

    Findbugs Plug-in 4.3

    We are using ant to do the build, and publish the findings to xml files.

    1. Mar 24, 2010

      Ulli Hafner says:

      Can you please file an issue in Jira?

      Can you please file an issue in Jira?

  4. Feb 28, 2010

    Julian Graham says:

    We're doing incremental Maven multi-module builds in Hudson, and I've noticed th...

    We're doing incremental Maven multi-module builds in Hudson, and I've noticed the following behavior: When a particular module in the multi-module build doesn't run (because it hasn't changed), the static analysis plugins for the top-level build report that all of that module's warnings, FindBugs issues, etc. have been resolved.  I understand why this is happening, but it's a bit frustrating -- the only way we can get accurate trending for static analysis reports is by forcing a full (and lengthy) rebuild whenever any module is changed. 

    Theoretically, couldn't the analysis utilities recognize builds that didn't execute (as opposed to builds that failed) and use the results from the most recent executed build?  It seems (although I have no idea what the code looks like) as if those results should be available in some form, since they're necessary to generate the trend graphs.

    1. Mar 24, 2010

      Ulli Hafner says:

      Which version are you using? I improved the detection of new warnings in the lat...

      Which version are you using? I improved the detection of new warnings in the latest release. At least for freestyle projects this should work now. Are you using the freestyle or m2 job type? BTW: please create an issue Jira because sometimes the confluence notifications don't work...

      1. Mar 30, 2010

        Julian Graham says:

        Hi Ulli, We're on Hudson 1.352, with Static Analysis Utilities 1.4 and Static A...

        Hi Ulli,

        We're on Hudson 1.352, with Static Analysis Utilities 1.4 and Static Analysis Collector Plug-in 1.2. And we're using the m2 job type. I've added a Jira ticket . Thanks!

  5. Apr 26, 2010

    Jasper Li says:

    Hi, How to make warnings plugin display portlet dashboard view? I did not ...

    Hi,

    How to make warnings plugin display portlet dashboard view? I did not find configuration for it.

    Thanks!

    1. Apr 27, 2010

      Ulli Hafner says:

      Did you install the Dashboard View?

      Did you install the Dashboard View?

  6. May 11, 2010

    Cedric Dandoy says:

    Part of the FindBug report page has disappeared. The page ends with   ...

    Part of the FindBug report page has disappeared.

    The page ends with
      Details
      Packages Files Categories
      < then nothing >
    See http://dandoy.org/hudson/sca.png

    It was working until:
    o I upgraded Hudson to 1.357 (probably from 1.356)
    o I changed the hostname

    I do not see anything unusual in the log or in stdout.

    Running:
    Hudson 1.357
    FindBugs Plug-in 4.8
    Static Analysis Utilities 1.8
    Static Analysis Collector Plug-in 1.5
    Dashboard View 1.5

    1. May 12, 2010

      Ulli Hafner says:

      See: issue #6496
  7. May 27, 2010

    Jasper Li says:

    Hi Ulli, Could you provide the change log from 1.6 to 1.8? and why it jumped 2...

    Hi Ulli,

    Could you provide the change log from 1.6 to 1.8?

    and why it jumped 2 release?

    Thanks

    1. May 28, 2010

      Ulli Hafner says:

      The analysis-core plug-in has no separate changelog, please use the changelog of...

      The analysis-core plug-in has no separate changelog, please use the changelog of the individual plug-ins. (Versions are sometimes skipped due to networking/locking errors in the release process).

  8. Dec 21, 2010

    KC Baltz says:

    Is there a way to "reset" the statistics?  Some initial issues with the con...

    Is there a way to "reset" the statistics?  Some initial issues with the configuration of the reporting caused a high number of false positives to be reported with the first couple of builds.  I'd like to clear any past measurements and go forward to make the graphs more realistic. 

    1. Dec 22, 2010

      Ulli Hafner says:

      You need to delete the corresponding builds.

      You need to delete the corresponding builds.

  9. Jan 10, 2011

    Lorenzo Alberton says:

    What font is it using to generate the graphs? We have a weird font in our setup ...

    What font is it using to generate the graphs?
    We have a weird font in our setup (latest version of hudson/plugins, maven2 project, centos 5.5):

    -Edit: actually, nevermind, fixed by installing msttcorefonts.