Static Code Analysis Tools for Java: What They Find and How to Choose
Written by the Rafter Team
Static code analysis tools for Java examine your source code or bytecode at build time to find vulnerabilities, bugs, and unsafe patterns before they reach production. Java's type system and mature ecosystem make it particularly well-suited for static analysis — tools can reason about data flows with high precision across class hierarchies, interfaces, and dependency injection frameworks. The challenge is choosing the right tool for your goal: security, code quality, or both.
Scan your Java project with Rafter — security-focused static analysis on every commit.
Top Static Code Analysis Tools for Java
The Java ecosystem has several established static analysis options, each with different strengths:
SpotBugs (successor to FindBugs) analyzes compiled bytecode and detects hundreds of bug patterns including null pointer dereferences, infinite loops, and resource leaks. The Find Security Bugs plugin adds detection for SQL injection, XSS, path traversal, and other OWASP Top 10 categories. Free and open source.
SonarQube combines code quality rules with security analysis. Its Java analyzer covers injection flaws, authentication issues, and cryptographic weaknesses alongside maintainability and complexity metrics. The community edition is free; advanced security rules require a commercial license.
PMD performs source-level analysis focused on code style, complexity, and common programming mistakes. Its security coverage is limited compared to dedicated SAST tools, but it catches issues like empty catch blocks that suppress security-relevant exceptions.
Semgrep uses pattern-matching rules that are easy to write and customize. Its Java support covers OWASP Top 10 patterns, and community rules are free. It lacks the deep interprocedural taint analysis of commercial tools but provides fast, low-noise results.
Checkmarx and Fortify are enterprise SAST platforms with deep Java support including cross-file taint tracking, framework-aware analysis (Spring, Jakarta EE, Hibernate), and compliance reporting. Both require commercial licenses.
No single tool catches everything. SpotBugs excels at bytecode-level bug detection but misses source-level patterns. Semgrep catches source patterns but lacks deep data flow analysis. Layering tools increases coverage but also increases maintenance cost.
What Static Analysis Catches in Java Code
Java-specific vulnerability patterns that static analysis tools reliably detect:
- SQL injection via string concatenation — JDBC queries built with
+instead ofPreparedStatementparameters - LDAP and expression language injection — unsanitized input in JNDI lookups or EL expressions (the Log4Shell pattern)
- Deserialization of untrusted data —
ObjectInputStream.readObject()on user-controlled byte streams - XML external entity (XXE) —
DocumentBuilderFactoryandSAXParserFactorywithout disabled external entity resolution - Weak cryptography —
DES,MD5,SHA-1usage in security contexts,ECBmode for block ciphers - Path traversal —
new File(userInput)without canonicalization or allowlist checks
Integrating Static Analysis Into Java Builds
The most effective placement is in your CI pipeline, running on every pull request. Maven and Gradle plugins exist for SpotBugs, PMD, and SonarQube, making integration straightforward. Configure your build to fail on findings above a severity threshold — this enforces a security baseline without blocking development on informational issues.
Rafter takes a different approach: connect your repository once and security-focused static analysis runs automatically on every commit. No build plugin configuration, no rule XML files, no version compatibility issues between your analyzer and your JDK. Findings surface in pull requests with Java-specific remediation guidance — the exact PreparedStatement refactor, the correct DocumentBuilderFactory configuration, the safe ObjectMapper settings.
Start scanning your Java code with Rafter — no build plugin required.