This has been touched on a few times over the years. Having static analysis as part of our build seems like a big win. For example, we could use PMD to look at System.out.println statements like discussed in
LUCENE-3877 and we could possibly incorporate the nocommit / @author checks as well.
There are a few things to work out as part of this:
- Should we use both PMD and FindBugs or just one of them? They look at code from different perspectives (bytecode vs source code) and target different issues. At the moment I'm in favour of trying both but that might be too heavy handed for our needs.
- What checks should we use? There's no point having the analysis if it's going to raise too many false-positives or problems we don't deem problematic.
- How should the analysis be integrated in our build? Need to work out when the analysis should run, how it should be incorporated in Ant and/or Maven, what impact errors should have.
I believe both pmd and findbugs are on maven repos so one could use ivy to fetch them automatically. One thing less to think about.