I am creating an initial, extensive static code analysis report about our Java/JSP web application (legacy of course ;-) for management to raise awareness for quality issues. The main Java code is no problem, there are plenty of free tools available, e.g. PMD, Checkstyle, Classcycle, etc.
But what about the JSPs? There is considerable Java code embedded in our JSPs (unfortunately) and this needs to be analysed. What tools could I use or what process do I need to follow to statically analyse JSPs?
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.
These two tools are available for executing static checks: ABAP Test Cockpit (ATC) - in the case of systems SAP EhP2 and upwards for SAP NetWeaver 7.0 SP 12. Code Inspector - in the case of older systems (< SAP EhP2 for SAP NetWeaver 7.0, SP 12), static checks must be performed using the Code Inspector instead.
At run time, the JSP code is interpreted by the JSP compiler, which parses out all the special features in the JSP code and translates them to Java code. The Java class created from each JSP implements Servlet .
A very simple metric may work for your purpose - "does this jsp contain scriptlets" or "number of lines scriptlet code", which you ought to be able to cobble together with grep or something similar.
Would detail beyound this add any value if you are making a pitch to management for time to fix things?
---- Edit ----
A quick google suggests that you might be able to extract the stats I suggested above for jsps using this
http://www.semanticdesigns.com/Products/SearchEngine/
Which was suggested as an answer in this question
What would be a good way to measure the size of a JSP project?
As henry pointed out correctly, a good metric for JSPs is "number of lines scriptlet code". This can be done with some regular expressions.
I found the ratio of lines of code versus lines HTML (=LoC_Java/LoC_Html
) to be most expressive: The smaller this number is, the better. Ratios up to 20 or 30% look ok, but values above 50% or even > 1 are bad. In my analysis I found JSPs with ratios up to 6 (really bad).
Also the number of page directives provides rough insight. As this number is mainly caused by imports, high numbers indicate high coupling.
Similar metrics are available in PMD which hase a JSP Ruleset. Is is based on HTML page analysis and is able to report the number of scriptlets, length of scriptlets, duplicate imports and encoding issues as well as plain HTML anti patterns.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With