There are several options available for static code analysis within Eclipse and they all come in the form of plugins. Code coverage can be monitored using EclEmma with a straightforward traffic light warning system to deliver a simple report on whether your unit testing goes deep enough. FindBugs will deliver byte code analysis and it works through the classes of the compiled code and looks for bugs that have already been identified in its own database.
For code complexity analysis there’s Efferent Coupling – it walks through the code and ensures that when your methods are overly complex - you can address the flaws in the code before they become a real problem for later development cycles. JDepend4Eclipse will deliver dependency analysis and prevent you from falling into the trap of circular dependencies so that you can make sure that your code can be modularized at will. Then there’s PMD for source code analysis. There are also plugins for quality code analysis which offer some level of security code analysis such as Coverity and Klockwork.
Once you have located the Static Code Analysis solution of your choice, you must make sure it can work in tandem with Eclipse. The tool should ideally be designed to offer coverage of the full OWASP Top 10 of security flaws as well as a substantial amount of additional coverage for less common problems. It must also possess strong reporting facilities that enable developers to track exactly where in the code security issues are creeping in and then fix them immediately. This results in early vulnerability remediation and fast development times, a win-win situation for all sides involved.
