Java Code Linting with SonarLint

Screen-Shot-2018-05-14-at-10.09.56-PM.png

Overview

SonarLint is an open-source IDE plugin for Eclipse and IntelliJ that performs static analysis on Java code. 

It's developed by SonarSource which is a Swiss software company that's focused on code quality solutions.

With this tool, we can get instant feedback on code quality issues during development.  This allows us to address potential bugs and vulnerabilities before they are committed into the codebase.


Rules

SonarLint will raise an issue when it identifies code that breaks one of its rules.   This is done by showing a blue squiggle as seen below:

Screen Shot 2018-05-15 at 9.18.19 PM.png

The default Java ruleset includes over 450 rules that fall into various categories and severity levels.  The complete rules catalog can be found here

Categories

  • Bug - coding oversight or mistake which could lead to unwanted behavior and performance issues
  • Vulnerability - a security issue which can mean a possible opening for an attacker
  • Code smell - clean coding violation which may lead to maintainability issues 

Severity Levels

  • Minor
  • Major
  • Critical
  • Blocker

Standalone vs Connected

SonarLint can be run in standalone or connected mode.

Standalone mode uses the default rule set and doesn't require any other components.   There doesn't appear to be a way to load custom rules in standalone mode unfortunately.

Connected mode connects to an on-premise SonarQube server or SonarCloud where we can store custom rules and view the analysis results by date.   These are separate products developed by SonarSource which are useful for teams that want to introduce static analysis into their CI process.

In this article, we'll focus on standalone SonarLint for the Eclipse IDE.


Installation

SonarLint is available in the Eclipse Marketplace.   

  1. Go to Help → Eclipse Marketplace
  2. Search for "SonarLint"
  3. Click Install
  4. Accept the License Agreement  
  5. Restart Eclipse

After the restart, SonarLint will automatically analyze Java class files when they are opened and saved.


Configuration

SonarLint configuration options are found in a few different places under the Preferences dialog in Eclipse.

(Mac: Eclipse → Preferences, Windows: Window → Preferences)

Preferences → General → Editors → Text Editors→ Annotation

It's helpful to check Vertical ruler so it's easier to spot the lines that need attention:

Screen Shot 2018-05-15 at 11.28.33 PM.png

Preferences → SonarLint

There's not much to configure here unless we want to exclude files or disable sharing of usage statistics.

Screen Shot 2018-05-15 at 10.34.50 PM.png

Static Code Analysis

Let's take a look at some code samples and see what SonarLint finds.

Remove boolean condition that always returns true 

 Unnecessary boolean condition

Unnecessary boolean condition

A constructor can never return null so the null check is pointless here and should be removed.

Diamond operator should be used

 Diamond operator should be used

Diamond operator should be used

The diamond operator was introduced in Java 7 to minimize the verbosity of code that uses generic types.

 
 Diamond operator is used

Diamond operator is used

 

SonarLint checks the project language level before enabling version-specific rules such as this one.

Single return statement should be used

 Boolean return literals in conditional

Boolean return literals in conditional

Here we are simply returning true if the expression evaluates to true and false otherwise.   This can be simplified into a single return statement:

 Single return statement

Single return statement

Possible null pointer exception

Method calls on objects that could possibly be null are flagged.  

In the example below, the dialog object could be null if both conditional statements evaluate to false.

 Possible null pointer exception

Possible null pointer exception

Reduce method complexity


SonarLint assigns each method a Cognitive Complexity score.   This score measures how easy the method is to follow in terms of logic.   A score above 15 will be flagged.   

Long methods with nested if-then statements, loops, and complex boolean expressions will score higher.   

 High cognitive complexity

High cognitive complexity

The company published a white paper explaining the details on how the score is computed. 


FAQ

How do I turn off SonarLint for a specific project?

Go to the Project Properties → SonarLint and uncheck Run SonarLint Automatically

How do I load custom rules into SonarLint?

This functionality is only available in Connected mode.