Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What tools or process to use to statically analyse JSPs?

I am creating an initial, extensive static code analysis report about our Java/JSP web application (legacy of course ;-) for management to raise awareness for quality issues. The main Java code is no problem, there are plenty of free tools available, e.g. PMD, Checkstyle, Classcycle, etc.

But what about the JSPs? There is considerable Java code embedded in our JSPs (unfortunately) and this needs to be analysed. What tools could I use or what process do I need to follow to statically analyse JSPs?

  • I know about PMD 5's new functionality covering JSPs, is it worthwile to explore?
  • I could generate the source Servlets of the JSPs somehow and use basic Java analysis tools, if so then what is the easiest way to get the Java source for JSPs?
like image 239
Peter Kofler Avatar asked Mar 14 '13 10:03

Peter Kofler


People also ask

Which tool is used for static code analysis?

Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.

Which tools are used for static checks SAP?

These two tools are available for executing static checks: ABAP Test Cockpit (ATC) - in the case of systems SAP EhP2 and upwards for SAP NetWeaver 7.0 SP 12. Code Inspector - in the case of older systems (< SAP EhP2 for SAP NetWeaver 7.0, SP 12), static checks must be performed using the Code Inspector instead.

How are Jsps interpreted?

At run time, the JSP code is interpreted by the JSP compiler, which parses out all the special features in the JSP code and translates them to Java code. The Java class created from each JSP implements Servlet .


2 Answers

A very simple metric may work for your purpose - "does this jsp contain scriptlets" or "number of lines scriptlet code", which you ought to be able to cobble together with grep or something similar.

Would detail beyound this add any value if you are making a pitch to management for time to fix things?

---- Edit ----

A quick google suggests that you might be able to extract the stats I suggested above for jsps using this

http://www.semanticdesigns.com/Products/SearchEngine/

Which was suggested as an answer in this question

What would be a good way to measure the size of a JSP project?

like image 162
henry Avatar answered Sep 20 '22 13:09

henry


As henry pointed out correctly, a good metric for JSPs is "number of lines scriptlet code". This can be done with some regular expressions.

I found the ratio of lines of code versus lines HTML (=LoC_Java/LoC_Html) to be most expressive: The smaller this number is, the better. Ratios up to 20 or 30% look ok, but values above 50% or even > 1 are bad. In my analysis I found JSPs with ratios up to 6 (really bad).

Also the number of page directives provides rough insight. As this number is mainly caused by imports, high numbers indicate high coupling.

Similar metrics are available in PMD which hase a JSP Ruleset. Is is based on HTML page analysis and is able to report the number of scriptlets, length of scriptlets, duplicate imports and encoding issues as well as plain HTML anti patterns.

like image 25
Peter Kofler Avatar answered Sep 23 '22 13:09

Peter Kofler