What tools or process to use to statically analyse JSPs?

Question

I am creating an initial, extensive static code analysis report about our Java/JSP web application (legacy of course ;-) for management to raise awareness for quality issues. The main Java code is no problem, there are plenty of free tools available, e.g. PMD, Checkstyle, Classcycle, etc.

But what about the JSPs? There is considerable Java code embedded in our JSPs (unfortunately) and this needs to be analysed. What tools could I use or what process do I need to follow to statically analyse JSPs?

• I know about PMD 5's new functionality covering JSPs, is it worthwile to explore?
• I could generate the source Servlets of the JSPs somehow and use basic Java analysis tools, if so then what is the easiest way to get the Java source for JSPs?

Answer 1

A very simple metric may work for your purpose - "does this jsp contain scriptlets" or "number of lines scriptlet code", which you ought to be able to cobble together with grep or something similar.

Would detail beyound this add any value if you are making a pitch to management for time to fix things?

---- Edit ----

A quick google suggests that you might be able to extract the stats I suggested above for jsps using this

http://www.semanticdesigns.com/Products/SearchEngine/

Which was suggested as an answer in this question

What would be a good way to measure the size of a JSP project?

Answer 2

As henry pointed out correctly, a good metric for JSPs is "number of lines scriptlet code". This can be done with some regular expressions.

I found the ratio of lines of code versus lines HTML (=LoC_Java/LoC_Html) to be most expressive: The smaller this number is, the better. Ratios up to 20 or 30% look ok, but values above 50% or even > 1 are bad. In my analysis I found JSPs with ratios up to 6 (really bad).

Also the number of page directives provides rough insight. As this number is mainly caused by imports, high numbers indicate high coupling.

Similar metrics are available in PMD which hase a JSP Ruleset. Is is based on HTML page analysis and is able to report the number of scriptlets, length of scriptlets, duplicate imports and encoding issues as well as plain HTML anti patterns.