This article introduces SonarLint, a static analysis IDE plugin for Java and other languages, explains its code‑quality features, shows how to install and use it in IntelliJ IDEA, compares it with SonarQube, and highlights related tools such as Alibaba’s Java coding guidelines.
To maintain stable services as systems grow, this article introduces five Java static analysis tools—Alibaba Java Coding Guidelines, CheckStyle, PMD, FindBugs, and SonarLint—detailing their purpose, installation steps, usage instructions, and key features to help improve code quality and streamline code reviews.
This article outlines a comprehensive approach to controlling and enhancing code quality in development teams, covering common issues such as delayed static analysis, ineffective code reviews, inconsistent branch management, unclear commit messages, and low technical morale, and proposes practical workflow, tooling, and governance solutions.
The guide shows how to shrink a Baidu iOS app by converting PNGs to HEIC within Asset Catalogs—leveraging Xcode’s actool for compression, avoiding pngquant‑induced alpha issues, and employing combined static LinkMap/Mach‑O parsing and runtime isa‑flag checks to prune never‑instantiated classes.
The article details Baidu’s iOS bundle‑size reduction strategy by converting PNG/JPG assets to HEIC using macOS tools or ImageMagick, storing them in Asset Catalogs for iOS 10+ compatibility, handling alpha‑channel quirks, and employing combined static‑link‑map and runtime class‑initialization analysis to safely prune unused Objective‑C classes.
The article examines common functional testing pain points—such as vague impact assessment, high regression cost, and poor test‑dev collaboration—and proposes a data‑driven solution that builds a code‑to‑test‑case mapping using dynamic call chains, static analysis, and coverage snapshots to enable precise test case recommendation and incremental coverage reporting.
The article explains how LinkedIn adopted the 10X thinking to transform its mobile development process, introducing aggressive goals, static analysis, distributed builds, rapid testing layers, and a weekly release cadence to dramatically improve engineering efficiency and product delivery.
This article explains how to analyze Link Map files and apply code‑level optimizations—such as removing unused classes, modules, methods, duplicate code, and AB‑test branches—to significantly reduce the binary size of Baidu’s iOS app, providing scripts, commands, and practical tips for each step.
This article presents a systematic approach to improving code quality across the software development lifecycle, covering traceability between tasks and commits, early static analysis, efficient code review, disciplined branching strategies, commit‑message enforcement, and fostering a collaborative technical culture.
This article explains how to import, configure, and run the CheckStyle plugin in IntelliJ IDEA, describes common annotation and formatting issues it detects, and provides practical tips for fixing import order, character spacing, and other style violations in Java projects.
This article introduces code‑level quality technologies, covering their background, architectural layers, code understanding methods, probe techniques, coverage metrics, smart unit testing, static analysis, and isolated‑function detection, and explains how these practices improve software robustness and defect‑recall efficiency.
The article outlines a two‑layer architecture for code‑level quality techniques—CodeC for deep code understanding via static analyses and Codeπ for applications such as quality assessment, probes, health monitoring, and defect location—detailing methods like AST parsing, coverage metrics, intelligent unit testing, static analysis, and orphan‑function detection to enhance software robustness.
This article introduces code‑level quality technology, outlining its background, a two‑layer architecture for code comprehension and instrumentation, key techniques such as static and dynamic analysis, coverage metrics, intelligent unit testing, rule‑based scanning, and orphan function detection, while previewing deeper future explorations.
This article explains the workings of SwiftLint, a static code analysis tool for Swift, covering its architecture, built‑in rules, configuration options, custom rule creation, UIWebView deprecation detection, and advanced build‑time optimizations to improve linting efficiency in mobile development projects.
Static analysis is the examination of source code without execution, offering rapid, often real‑time feedback on code quality, and is widely supported by numerous open‑source and proprietary tools used within DevOps continuous delivery pipelines.
The Vivo Internet Security Team demonstrates how to extend the Doop static analysis framework with custom Datalog rules to detect the Apache Commons Text CVE‑2022‑42889 remote code execution vulnerability by tracing taint from StringSubstitutor.replace to ScriptEngine.eval, producing source‑sink CSV reports and showcasing Doop’s extensibility for security research.
This article explains Android app security risks and introduces static taint analysis, its theoretical foundations, key concepts, and practical tools such as FlowDroid, MobSF, AppShark, and PATDroid for detecting privacy leaks and vulnerabilities.
This article provides a comprehensive guide to the open‑source Capo cloud‑native network coordination service, covering its architecture, three deployment methods (Helm, Kustomize, plain YAML), detailed configuration parameters, observability setup, static code analysis with golangci‑lint, extensive unit and e2e testing using Kind, Helm chart packaging, registry publishing, and a full GitHub Actions CI/CD workflow.
The article proposes enhancing front‑end project delivery quality by replacing manual standards with automated tooling—static code linting, performance, error, and disaster‑recovery tests—and integrating these checks into DevOps checkpoints that enforce pass, alarm, or block actions, enabling metric‑driven, objective evaluation across teams and outsourced projects.
This article describes how Industrial and Commercial Bank of China tackled rising software vulnerabilities by establishing a unified code‑scanning center, integrating static, supply‑chain, and dynamic analysis tools, standardizing rules, and delivering one‑stop services that have scanned over 3.1 billion lines of code across the bank.
At the end of 2022 the NSA warned that C and C++ are unsafe and urged a shift to languages like Rust or Go, but Bjarne Stroustrup counters that modern C++ offers robust static analysis, type and resource safety, and that the agency’s view overlooks these advances.
Creator of C++ Bjarne Stroustrup counters the NSA’s recommendation to replace C/C++ with memory‑safe languages, arguing that modern C++ has evolved with robust safety features, static analysis, and guidelines that can ensure type and resource safety without abandoning the language.
Ant Group and Hong Kong University of Science and Technology’s award‑winning paper, “Complexity‑guided Container Replacement Synthesis,” presented at OOPSLA 2022, introduces a static‑analysis‑driven method that automatically replaces inefficient Java containers, achieving an average 8.1% runtime improvement across real‑world projects.
This article describes how a game development team designed, implemented, and continuously improved a static checking framework for Unity assets and code, covering pre‑submission hooks, post‑submission scripts, daily checks, CI/CD integration, UI enhancements, and lessons learned for better quality assurance.
This tutorial demonstrates how to set up a Python project, install and run Pylint, interpret its messages, and improve code quality by adding docstrings, fixing formatting issues, and configuring suppression, while also covering linting on single files, directories, and common pitfalls.
Join the Infra Talk session where PhD researcher Xiaoyu Sun reveals how Android security and compatibility defects arise, demonstrates static and dynamic analysis techniques, and showcases open‑source tools for detecting privacy leaks and framework incompatibilities, while outlining future research directions.
This article describes a four‑step approach to precise frontend testing that uses static analysis of routing and import dependencies to identify impacted pages and functions, automatically selects corresponding test cases, runs them, and compares incremental coverage to ensure code changes are fully verified.
The article presents Alchemy, a comprehensive code quality analysis platform that integrates static analysis, unit‑test rule scanning, duplicate‑code detection, custom rule checks, and code search into GitLab CI/CD pipelines, addressing common DevOps challenges and improving backend development efficiency.
To maintain stable Java services as projects grow, this article introduces essential code quality tools—including Alibaba Java Coding Guidelines, CheckStyle, PMD, FindBugs, and SonarLint—detailing their installation, usage, and key features to streamline code reviews and reduce bugs.
To maintain stable, high‑quality Java services as projects grow, this guide introduces five essential static‑analysis tools—Alibaba Java Coding Guidelines, CheckStyle, PMD, FindBugs, and SonarLint—detailing their installation, core features, usage steps, and how they collectively reduce bugs and improve code standards.
This practical guide walks iOS developers through installing OCLint, generating a compilation database, creating custom Clang‑AST rules, optimizing analysis runtime with parallel processing, and interpreting results that uncovered hundreds of performance‑critical issues, demonstrating how static analysis can dramatically improve startup speed.
This article introduces several Java code‑quality tools—including Alibaba Java Coding Guidelines, CheckStyle, PMD, FindBugs, and SonarLint—explaining their purpose, installation steps, key features, and how they can improve code review efficiency and overall code health.
This article introduces essential Java static analysis tools—including Alibaba Java Coding Guidelines, CheckStyle, PMD, FindBugs, and SonarLint—detailing their installation, usage, and key features to help developers improve code quality, reduce review effort, and prevent bugs in growing backend systems.
Precise testing technology uses static code scanning and dynamic tracing to build a Neo4j call‑graph, automatically recommends test scopes and cases via diff analysis and weighted relationships—including call‑count, module, text similarity, and GCN—thereby improving test adequacy, cutting regression cycles, and dramatically reducing test execution time.
The new govulncheck tool leverages the Go vulnerability database to pinpoint actual vulnerable function calls in code, reducing noise and addressing developer challenges around error handling and third‑party library security, while recent surveys highlight the growing need for such solutions.
This guide introduces CodeQL, explains how to install the required tools, shows how to generate a source‑code database, and walks through basic and advanced rule syntax with practical C/C++ examples, enabling security researchers to efficiently discover vulnerabilities in large codebases.
This article explains Python's compilation process, introduces the AST module, and demonstrates how to parse, pretty‑print, traverse, and transform abstract syntax trees to automatically rename ambiguous variables and inject logging statements, ending with a discussion of broader AST applications.
This article explains how to automatically extract data lineage and code dependencies from large collections of Python scripts by leveraging the language's compilation stages, abstract syntax trees, and the Pyflakes static‑analysis library, providing practical code examples and custom parsers for SQL extraction.
Kuaishou's Y‑tech team built an automated detection platform that statically analyzes effect assets, dynamically renders them on a server, and runs real‑device performance tests, using a task queue, Kafka and RMQ to ensure high‑quality AR effects across multiple products.
This article explains why static analysis is essential for C/C++ development, compares compiler warnings with dedicated tools, introduces cppcheck, shows how to install and use it on sample programs, and demonstrates its ability to uncover bugs that compilers often miss.
This article explains how the Finder system combines multi‑language code‑coverage collection, differential analysis, and call‑graph tracing to provide fine‑grained testing metrics, automate test‑case identification, and support continuous quality assurance across complex backend and frontend projects.
This article examines the root causes of engineering decay in large Android apps, breaks down the problem into configuration, manifest, Java code, resources, and native libraries, and presents a comprehensive governance framework that combines people‑centric practices, process‑driven gates, and tooling to detect and remediate decay across modules.
This article introduces the Alibaba Java Coding Guidelines plugin for IntelliJ IDEA, explains its rule set and detection modes, and provides step‑by‑step instructions for installing and using the plugin to automatically enforce coding standards in Java projects.
This article presents the background, industry challenges, design principles, architecture, core capabilities, and implementation details of JD Tech's privacy compliance detection system for mobile applications, highlighting both static and dynamic analysis techniques to identify and remediate personal data risks.
This article explains how to statically analyze Android apps to identify privacy‑related method calls hidden in native .so libraries, extract method signatures from smali files, construct a call‑graph with callers and callees, handle cycles, and traverse the graph to reveal call chains.
Using LGTM’s online CodeQL scanner, the author demonstrates how a 2020 CWE‑074 rule can automatically detect a Log4j2 0‑day vulnerability, explains the rule’s data‑flow logic, and provides step‑by‑step instructions for scanning open‑source projects and responsibly handling discovered exploits.
This article explains what Synopsys Polaris is, lists the programming languages it supports, describes how to access the SaaS platform, install the CLI, configure the polaris.yml file with capture and analysis settings, and run scans to obtain detailed vulnerability reports.
This article explains how to create a static analysis tool that scans Android APKs for privacy‑sensitive API calls, covering both compile‑time bytecode instrumentation and runtime stack tracing, with step‑by‑step instructions, code examples, configuration details, and optimization techniques.
This guide explains how to set up SonarQube and Sonar‑scanner for static code analysis, run the scanner with project parameters, install the Sonar‑GitLab plugin, configure commit‑status integration, and use the resulting GitLab commit status to enforce merge‑request policies based on pipeline outcomes.
This guide introduces SonarLint and SonarQube, explains how to install and configure them for Java projects, demonstrates scanning with Maven, and provides additional resources such as Alibaba Java coding conventions and documentation links, helping developers improve code quality and maintainability.
Xianyu’s Flutter team defines a custom lint configuration in analysis_options.yaml, selecting stable rules from effective_dart, pedantic, flutter_lints and lints to enforce concise syntax, safe null handling, explicit typing, consistent style, and proactive quality checks, supported by CI enforcement and team‑wide consensus.
This article introduces three essential code‑quality tools—SonarLint, SonarQube, and the Alibaba code‑convention plugin—explaining their installation, basic usage, integration with Maven, and how they help developers detect code smells, enforce standards, and quantify quality metrics in Java projects.
This article explains ByteDance’s automated precise testing solution, describing how method call‑chain analysis links code changes to Android Activities, enabling targeted test‑case recommendation, optimizing CI pipelines, and significantly improving test efficiency and coverage for large‑scale mobile projects.
This article describes a workflow for automatically recommending precise test cases for each code change in Android MR pipelines by building and optimizing activity‑method call chains using static analysis, linking test cases to changed methods, and demonstrating significant efficiency gains in large‑scale mobile development.
This article compiles a series of curated technical write‑ups covering enterprise Node.js foundations, type‑safe Node.js frameworks, complex system architecture, cross‑platform solution analysis, front‑end engineering efficiency, collaborative online document design, VSCode performance, decorator usage, CSS static analysis, and JavaScript memory‑leak prevention.
This tutorial walks you through installing and using SonarLint for on‑the‑fly code smell detection, setting up SonarQube as a centralized quality platform, configuring Maven integration, and leveraging Alibaba's coding standards to quantify and improve software quality.
This article introduces SonarLint and SonarQube, explains how to install and configure them, demonstrates code analysis and rule customization, shows integration with Maven via the sonar‑maven‑plugin, and highlights Alibaba's coding standards as a practical example of improving software quality.
This document outlines a detailed testing strategy for the Cloud Classroom mobile app, covering security, static code analysis, performance, compatibility, and overall quality assurance to ensure stable functionality and a positive user experience.
This article presents a white‑box, unit‑test‑driven approach for automatically generating C/C++ test cases that detect and recall runtime stability issues, detailing problem analysis, solution design, code‑analysis, test‑data generation, code generation, failure analysis, and deployment results across large‑scale backend modules.
This article explains the fundamentals of abstract syntax trees, Java AST analysis with Spoon, the principles of static application security testing and taint analysis, and demonstrates how to use CodeQL to detect unsafe Fastjson usage and Spring web path bindings in a CI/CD pipeline.
This guide walks you through installing and using SonarLint for on‑the‑fly code smell detection, setting up SonarQube as a centralized quality platform, integrating it with Maven via the sonar‑maven‑plugin, and applying Alibaba's coding standards to achieve measurable improvements in code health.
This article introduces the importance of source code security scanning in CI/CD pipelines, explains static application security testing (SAST), compares major commercial and open-source Java analysis tools, and presents the selection criteria and conclusions that guided 58 Group's Java white-box scanning solution.
This article explains why and when to scan product code for vulnerabilities, describes static source‑code and binary scanning methods, introduces deep code‑search techniques and a real‑time Sphinx‑based indexing architecture, and shows how these practices can significantly raise overall product quality.
A developer recounts a five‑day debugging saga where a new lock‑free network queue caused intermittent core dumps, ultimately traced to differing GCC optimization behaviors, and shares practical lessons on bug attitude, reproduction, static analysis, and effective logging.
This article describes a Laravel‑based static analysis tool that automatically scans PHP files to detect missing namespace imports, unresolved class references, and undefined class constants, using regex and token_get_all, and integrates the checks into GitLab CI for early error prevention.
The MOMO Code Sec Inspector is an open‑source Java static analysis plugin for IntelliJ IDEA that detects security vulnerabilities such as XXE and MyBatis SQL injection during development and offers one‑click remediation, helping teams address risks early in the coding process.
This article explains the various software defect terms, their classifications, how faults are detected through testing while defects require static analysis, and outlines current challenges and future directions for automated detection and repair of both faults and defects.
This article examines the challenges of enforcing JavaScript coding standards in large‑scale frontend projects and presents EOS-JS, an AST‑driven static analysis tool that offers modular scanning, automatic fixes, multi‑scenario rule sets, seamless CI integration, and visualized data reporting to improve code quality and maintainability.
This article explains how EOS‑JS, a plugin‑based static analysis tool, uses AST pattern matching to enforce JavaScript coding standards across large front‑end teams, offering automatic fixes, multi‑scenario rule sets, seamless integration, and visualized data statistics to improve code quality and maintenance efficiency.
The article introduces EOS‑JS, a plugin‑driven JavaScript static analysis platform that leverages AST pattern matching to detect, suggest fixes, and automatically repair code‑style violations across large‑scale frontend projects, detailing its architecture, core modules, dynamic configuration, automation, and data‑visualization capabilities.
JetBrains Qodana brings IDE‑level static analysis into CI/CD pipelines, offering Docker images, GitHub Actions, TeamCity plugins, and cloud services to detect errors, security flaws, and code smells for PHP, Java, and Kotlin projects, with easy setup and web‑based reports.
This article presents a comprehensive approach to automatically generate unit tests for C/C++ backend services, leveraging static code analysis, white‑box techniques, and fuzzing to create high‑coverage test cases that proactively detect stability issues without manual effort.
This article reviews seven popular static code analysis tools, outlining why static analysis matters, each tool's key features, drawbacks, supported languages, and pricing to help developers choose the right solution for improving code quality and security.
This article explains the concept, requirements, tool selection criteria, comparative analysis of Sonar, Infer and TscanCode, and practical integration steps—including CI pipeline, Jenkins, and project‑management linkage—to demonstrate how static code scanning can be effectively deployed and measured in a production environment.
This guide walks you through setting up SonarLint in IntelliJ IDEA, configuring the SonarQube server and project, and using the tool to automatically detect coding standards violations, potential bugs, complexity issues, duplication, and comment problems before committing code.
This guide explains how to set up and use static analysis tools SwiftLint, Infer, and OCLint for iOS projects, covering installation methods, Xcode integration, custom configuration, report generation, and a comparative overview to help choose the right solution.
This article introduces static code analysis, outlines its advantages and disadvantages, presents eight typical scanning rule categories, and demonstrates common pitfalls such as null‑pointer dereferences, logic errors, uninitialized variables, and potential overflow issues with concrete code examples.
When using SpotBugs' Gradle plugin in a Java project, you may encounter "Cannot compile Groovy files" errors, which can be fixed by adding a Groovy SDK through the IDE's project structure settings.
This article explains what code quality means, outlines its essential characteristics, discusses how to measure it with metrics and coverage, and introduces static analysis tools such as Checkstyle, PMD, and CPD to help Java developers maintain reliable, maintainable, and secure code.
This article describes a practical workflow for static testing Java and Groovy code with SpotBugs in IntelliJ, including dependency setup, bug detection, clear versus suppress options, and the syntax for applying @SuppressFBWarnings annotations in both languages.
This article details the evolution of front‑end asset‑loss (资损) prevention at Alibaba, from manual pre‑play rehearsals to productized solutions such as front‑back reconciliation, AST‑based static code scanning with Babel, and record‑playback UI test scanning, highlighting challenges, implementations, and future directions.
The article reviews the transition from Jenkins‑based FindBugs scanning to local IntelliJ plugins, evaluates outdated FindBugs‑IDEA and QAPlug‑FindBugs, and recommends SpotBugs for accurate Java static analysis, sharing installation links, usage notes, and scan results.
The article explores how AI and machine learning are reshaping front‑end development, covering React 17's new JSX transform, Alibaba's AI‑driven front‑end initiatives, graphics programming showcases, AI knowledge‑graph resources, ML‑based static code analysis, and AntV's visualization tools.
This article introduces Android Lint as a static analysis tool, explains its rule categories—Correctness, Performance, Internationalization, and Security—shows how to customize lint.xml, demonstrates integration with Jenkins for automated checks, and shares result analysis and typical integration pitfalls.
This article presents a comprehensive set of guidelines for writing clean, maintainable, and efficient Bash/Shell scripts, covering shebang usage, comments, parameter validation, variable handling, indentation, naming, encoding, permissions, logging, security, parallel execution, and tooling such as ShellCheck.
This article explains the concept, goals, and implementation of Precise Testing at NetEase Yanxuan, detailing its bidirectional tracing, lifecycle integration, platform architecture, code analysis techniques, breakthroughs with JaCoCo, and future directions for usability, precision, and intelligence.
This article details Youzan Retail's mobile continuous integration and delivery system, covering the background, challenges, architecture, packaging, distribution, compile and static checks, local Git hooks, code review workflow, messaging, and future improvements to streamline weekly releases for mobile teams.
Learn how to enforce Python coding standards by using Flake8 for local static analysis and pre-commit hooks for Git integration, covering installation, configuration, and practical usage to automatically detect style violations, syntax errors, and complexity issues before committing code.
A PLDI'20 study of open‑source Rust projects shows that while Rust’s safe code effectively prevents most memory errors, many bugs still stem from unsafe blocks, and even safe code can suffer thread‑safety issues, highlighting the need for better tooling and developer awareness.
Facebook’s open‑source Pysa tool statically scans Python code to detect data‑flow vulnerabilities, XSS and SQL‑injection risks, leveraging Pyre and Zoncolan techniques, achieving rapid analysis of millions of lines and uncovering 44% of Instagram’s security flaws in early 2020.
This article compiles practical shell‑script coding standards—covering shebang usage, commenting, parameter validation, variable handling, indentation, naming, encoding, logging, security, modular design, parallel execution, and static analysis with shellcheck—to help developers write readable, maintainable, and performant Bash scripts.
This article explains how to perform static analysis of Android APK files with Python, covering environment preparation, unpacking the APK, extracting basic metadata, analyzing classes and methods using the Androguard library, and generating a method call graph for deeper reverse‑engineering insights.
This article explains how PHP_CodeSniffer parses PHP source code into tokens using lexical analysis, demonstrates token extraction with token_get_all, and guides readers through creating a custom rule to prohibit hash‑style comments, covering rule library setup, Sniff implementation, and execution.
This article describes the design, implementation, and operational strategy of a comprehensive code‑metrics platform that standardizes coding standards, automates quality checks, and drives data‑guided improvements across multiple development teams, ultimately enhancing code reliability, maintainability, and CI/CD flow.
This guide explains how to set up SonarLint in IntelliJ IDEA, covering the seven quality dimensions Sonar checks, required prerequisites, plugin installation, server configuration, project selection, and visual verification of the integration within the IDE.
This article explains how to embed static application security testing (SAST) into a DevSecOps CI/CD pipeline by defining five essential checkpoints—pre‑commit, commit‑time, build‑time, test‑time, and deployment—covering purpose, benefits, handling false positives, result merging, custom rule sets, and automation strategies.
The article details how a Go middleware QA team generates unit‑test coverage with go test and gocov, runs static analysis via golangci‑lint, integrates results into SonarQube, captures integration‑test coverage in Kubernetes, and applies diff‑cover for incremental coverage checks, all visualized through Jenkins.
This guide explains SonarQube's architecture, shows how to deploy it with Docker, and details configuration steps including forced login, LDAP integration, and GitLab authentication, providing code snippets and screenshots for a complete DevOps quality‑management setup.
An overview of eleven essential open-source and commercial tools—including SonarQube, Kritika, DeepScan, Klocwork, CodeSonar, JArchitect, Bandit, Code Climate, Crucible, Fortify, and Codecov—that help developers analyze code quality, detect security vulnerabilities, and integrate seamlessly into CI/CD pipelines across multiple programming languages.
This article explains the motivation, design, implementation, and deployment of a Kotlin static‑analysis IDE plugin that provides real‑time code‑style checks for Android developers, covering tool exploration, AST/PSI parsing, rule creation, architecture layers, and practical installation steps.
