What is code review in java

Code Review Best Practices

Ranga Karanam November 14, 2019 5 minutes

Code Review is one of the most important components in ensuring great Code Quality in your projects. How do you ensure that code reviews in your projects yield expected results?

You will learn

• What is code review?
• Why do you do code reviews?
• When should you do a code review?
• How can you become a good code reviewer?
• What are the things to look for in a code review?
• What are the code review best practices?

Article Series

This is the fifth article in a series of eight articles on Code Quality

Why Code Reviews

What could be the reason for doing a code review?

Remember that a code review is not a tool to find fault with others efforts.

Here are a couple of important goals:

• A code review is done to add value to the system and the people in the team.
• It also adds to a list of best practices that team members can follow.

Adding Value To The System

Code reviews add value to your system. Aim of the code review is to make the system more maintainable. Your aim is to check for bugs in adhering to functional and non functional requirements — scalablity, performance, security etc.

Adding Value To The People

Code reviews should be used as a way to enhance the knowledge of the developers involved and a way to spread the best practices.

Adding To Best Practices

An important step of code review should be to identify best practices. Common error patterns can be identified and documented.

When Should You Do Code Reviews?

Review As Early As Possible

It is preferable to do code reviews as early as possible.

Review with Normal Focus

Normal focus refers to typical code review done during the course of a sprint for a run of the mill user story.

Review with High Focus

There are times during development when peer reviews need to be done with high focus.

New Developers Joining In

A good example is when a new developer joins a team. A new developer takes time to get familiar and start implementing code that meets the team’s coding standards. An effort should be made to encourage them to learn from code reviews.

New Methodology Or Technology Implemented

When a new methodology is being adopted, or a new technology is being brought into the code base, it is important to have focused code reviews.

Building A Vertical Slice

In the initial stages of the project, you generally build a vertical slice. Vertical slice helps in solving technical challenges.

Vertical slice becomes a reference for the project. It is important to have focused code reviews for the vertical slice.

How To Do Code Reviews?

Encourage Pair Programming

Ideally, I would love to have pair programming reviews. A lot of times, it is much easier to refactor code almost immediately during the review, than at a later point in time.

Code Review Best Practices

Let’s quickly review a few other best practices related to code review.

Use Static Analysis Tools

Make use of static analysis tool such as SonarQube.

• Check the components in code, their sizes, and their interactions with other components in the code.
• Identify and look closely at certain types of code hot-spots, such as:
  • Large classes
  • Complex methods
  • Large components
  • Lot of dependencies
  • Uncovered code

  Review Junits

  Review the Junits for complex method and classes, and see how readable the code actually is.

  Junits are often a very good signal of the readability of code. If the code is difficult to test, the code is definitely difficult to understand.

  Check Readability Of Code

  Look at the readability of the code, by focusing on the Four Principles Of Simple Design.

  What do you look for in a code review?

  There are various aspects to be considered while doing a review of the code.

  

  Review The Architecture

  Have a look at various points, such as:

  • The choice of frameworks in the code base
  • The way the code components communicate with other systems
  • How testable the code is?
  • The architecture of the components themselves
  • The extent of code reuse — Are common components are identified and abstracted away for use in other places?

  Review The Design

  

  Review the following aspects:

  • What is the nature of the interaction between the various classes? How loosely are the classes coupled, and what is the cohesion between them?
  • Have a look at the layer responsibilities, and see if the layers are clearly demarcated, and do not overlap in functionality.
  • How well are the core object oriented principles followed in the code design?
  • What is the nature of the unit tests? How easy or difficult is it to unit test the code under review?

  Review The Code

  

  • Make sure the code follows the Four Principles Of Simple Design
  • Ensure the code got the basics right

  

  

  • How does the code handle important security concerns?
  • How well are the unit tests written, and are they readable?
  • Are language specific standards being adhered to? In Java foe example, the following language constructs have certain purposes:

  

  For example, Enums are preferred to strings wherever possible, and this makes the code more readable.

  Review Engineering Practices

  

  The quality of code in an application depends greatly on the kind of engineering practices followed in the team. You can check

  • How often the code is committed?
  • Review how often builds are broken
  • Review the entire continuous integration process

  

  Do check out our video on the same topic:

  Summary

  In this article, we had a good overview of code review best practices for a team, or organization. The core principle behind doing code reviews is to add value — to the system, to the people involved, and to the best practices as a whole.

  Источник

  7 best Java code review tools for developers

  It’s been more than 25 years since Java was created, but it is still one of the most popular languages for modern software development. The language’s demand stems from the platform being easy to learn with an extensive collection of APIs. With so many development teams still recognizing these benefits and selecting Java, there’s a pressing need for powerful Java review tools to ensure secure Java code.

  Automated code reviews can improve the quality of software significantly, while also bolstering its resistance to security threats. In addition, static code reviewers can augment manual peer reviews to create a robust process for streamlining code optimization. Check out our set of best practices for your code review process.

  Top 7 Java code review tools

  While there are many Java code review tools available, we chose the list of tools below because they’re open source, easy to use, and are compatible with Java applications. With that in mind, here are seven Java code review tools that deliver on these critical benefits:

  1. JArchitect

  JArchitect, a static Java source code analysis tool, evaluates Java code for complexity. It offers features such as code querying, enabling custom code, technical debt evaluations to identify the cost of fixing – or risk of not fixing – an error, and pass/fail quality gates. The tool also provides standard metrics and statistical analysis of the code.

  In addition to those features, JArchitect can also identify code metrics like cyclomatic complexity (number of possible execution paths), source code lines, afferent (incoming) and efferent (outgoing) coupling, nesting, and depth. The software generates reports that help proactively guard against unplanned code errors.

  2. PMD

  PMD is a free, open source, static code reviewer that runs through Github. This Java review tool evaluates the integrity of the source code. It reports common mistakes that reduce the code’s efficiency, such as duplicate or unneeded code sections or variables and unnecessary objects. PMD can also detect hard-coded IP addresses or passwords that could compromise security.

  Eliminating duplicate code within the Java application allows the code to run faster and offers a secondary check for manual reviewers who may have added redundant code sections. That’s why the tool also has a copy-paste detector called CPD that supports Java, Python, MATLAB, Fortran, C, C++, and C#, among others.

  3. FindBugs/SpotBugs

  Another free and open source Java code review tool is FindBugs. Also a static analyzer, this tool scans the code to find defects (or «bugs»), inconsistencies, or security threats in suspicious code sections. FindBugs identifies inconsistencies as warnings, allowing the developer the discretion to review the messages to determine whether they need to take corrective action. Developers can action the warning messages in this Java code review tool either individually or in batches. FindBugs requires JRE 1.7.0 or later to run and analyze any version of Java from 1.0 to 1.8.

  SpotBugs is the next generation of FindBugs. Like the original, SpotBugs calls out warnings and developers can choose if they want to action them. SpotBugs lists both performance issues and Java code defects in the warnings section; as a result, not all warnings need to be changed. However, the tool does rank warnings into four categories to aid developers in their decision-making: «of concern,» «troubling,» «scary,» and «scariest.»

  4. Checkstyle

  Checkstyle is another free, open source tool to check Java source code. The tool locates class design incompatibility, method design issues, and code layout and formatting mistakes. Checkstyle is found on Sourceforge and requires Java 1.8 to function. It is not backward compatible with older versions of Java.

  To mitigate the limitations of a single code checking tool, Checkstyle is often combined with FindBugs and PMD for a more robust Java code review process.

  5. SonarLint

  SonarLint is another free open source Java code review tool that checks the code against standards to evaluate the code quality. This analyzer is adept at locating security vulnerabilities and provides reports to show duplicate code, complexity, and comparison with code standards. SonarQube is also versatile, offering compatibility with 26 programming languages other than Java.

  SonarLint offers advanced user interface dashboards for ease of use and maintains records of code review analyses so developers can improve their Java code quality continuously.

  6. Graudit

  The Graudit code review tool supports Java and other languages like Python, Perl, .NET, C, and PHP. It provides script and signature sets to help developers locate potential security vulnerabilities within Java code. In addition, the tool incorporates an extensive database of known flaws for comparison with the source code and calls out a positive match when the source code matches a database pattern. Graudit is found on Github and is maintained and updated regularly for maximum impact.

  Graudit offers the ability for a user to add their database for analysis against the source code and compare multiple source code files at a time or just a single one. It is portable and flexible, offering a friendly user experience and lower technical and computational requirements than many other tools. This flexibility allows Graudit to run on most systems.

  7. Snyk

  Snyk Code is a novel static Java code review tool that statistically analyzes Java source code for security vulnerabilities while the developer codes. This tool performs automated secure code reviews rapidly and reduces false positives in the process.

  Snyk’s Static Application Security Test (SAST) tool is more efficient than other tools and uses semantic analysis to find more vulnerabilities sooner to accelerate code development. This enables development teams to shift security left without compromising on speed. Snyk also offers a free pricing option for teams looking to quickly and easily get started with SAST.

  Austin based Biotechnology company Natera found that other SAST tools were limited by lengthy scan times and poor accuracy. Snyk Code, however, is designed to deliver efficient and actionable suggestions for vulnerability fixes as developers write code in their native interface prior to deployment.

  “It was an easy decision to make. We looked at a few other tools, and I couldn’t find anything that gave us the same sort of scanning unless we had deployed or were in pre-deployment. There was just nothing that I could compare it to.”

  Charlotte Townsley, Natera, Director, Security Engineering

  Secure Java code as you develop

  Find and fix security issues in your application code in real-time during the development process.

  Источник