Static Analysis tool recommendation for Java? [closed]

Being vaguely familiar with the Java world I was googling for a static analysis tool that would also was intelligent enough to fix the issues it finds. I ran at CodePro tool but, again, I’m new to the Java community and don’t know the vendors.

What tool can you recommend based on the criteria above?


FindBugs, PMD and Checkstyle are all excellent choices especially if you integrate them into your build process.

At my last company we also used Fortify to check for potential security problems. We were fortunate to have an enterprise license so I don’t know the cost involved.


How do I escape a string inside JavaScript code inside an onClick handler?

Maybe I’m just thinking about this too hard, but I’m having a problem figuring out what escaping to use on a string in some JavaScript code inside a link’s onClick handler. Example:

<a href="#" onclick="SelectSurveyItem('<%itemid%>', '<%itemname%>'); return false;">Select</a>

The <%itemid%> and <%itemname%> are where template substitution occurs. My problem is that the item name can contain any character, including single and double quotes. Currently, if it contains single quotes it breaks the JavaScript code.

My first thought was to use the template language’s function to JavaScript-escape the item name, which just escapes the quotes. That will not fix the case of the string containing double quotes which breaks the HTML of the link. How is this problem normally addressed? Do I need to HTML-escape the entire onClick handler?

If so, that would look really strange since the template language’s escape function for that would also HTMLify the parentheses, quotes, and semicolons…

This link is being generated for every result in a search results page, so creating a separate method inside a JavaScript tag is not possible, because I’d need to generate one per result.

Also, I’m using a templating engine that was home-grown at the company I work for, so toolkit-specific solutions will be of no use to me.


In JavaScript you can encode single quotes as “x27” and double quotes as “x22”. Therefore, with this method you can, once you’re inside the (double or single) quotes of a JavaScript string literal, use the x27 x22 with impunity without fear of any embedded quotes “breaking out” of your string.

xXX is for chars < 127, and uXXXX for Unicode, so armed with this knowledge you can create a robust JSEncode function for all characters that are out of the usual whitelist.

For example,

<a href="#" onclick="SelectSurveyItem('<% JSEncode(itemid) %>', '<% JSEncode(itemname) %>'); return false;">Select</a>

What is the best place to store a configuration file in a Java web application (WAR)?

I create a web application (WAR) and deploy it on Tomcat. In the webapp there is a page with a form where an administrator can enter some configuration data. I don’t want to store this data in an DBMS, but just in an XML file on the file system. Where to put it?

I would like to put the file somewhere in the directory tree where the application itself is deployed. Should my configuration file be in the WEB-INF directory? Or put it somewhere else?

And what is the Java code to use in a servlet to find the absolute path of the directory? Or can it be accessed with a relative path?


What we do is to put it in a separate directory on the server (you could use something like /config, /opt/config, /root/config, /home/username/config, or anything you want). When our servlets start up, they read the XML file, get a few things out of it (most importantly DB connection information), and that’s it.

I asked about why we did this once.

It would be nice to store everything in the DB, but obviously you can’t store DB connection information in the DB.

You could hardcode things in the code, but that’s ugly for many reasons. If the info ever has to change you have to rebuild the code and redeploy. If someone gets a copy of your code or your WAR file they would then get that information.

Putting things in the WAR file seems nice, but if you want to change things much it could be a bad idea. The problem is that if you have to change the information, then next time you redeploy it will overwrite the file so anything you didn’t remember to change in the version getting built into the WAR gets forgotten.

The file in a special place on the file system thing works quite well for us. It doesn’t have any big downsides. You know where it is, it’s stored seperatly, makes deploying to multiple machines easy if they all need different config values (since it’s not part of the WAR).

The only other solution I can think of that would work well would be keeping everything in the DB except the DB login info. That would come from Java system properties that are retrieved through the JVM. This the Preferences API thing mentioned by Hans Doggen above. I don’t think it was around when our application was first developed, if it was it wasn’t used.

As for the path for accessing the configuration file, it’s just a file on the filesystem. You don’t need to worry about the web path. So when your servlet starts up it just opens the file at “/config/myapp/config.xml” (or whatever) and it will find the right thing. Just hardcodeing the path in for this one seems pretty harmless to me.


How to check if a variable is loaded in JavaScript?

How do I see if a certain object has been loaded, and if not, how can it be loaded, like the following?

if (!isObjectLoaded(someVar)) {
    someVar= loadObject();


If it is an object then you should just be able to check to see if it is null or undefined and then load it if it is.

if (myObject === null || myObject === undefined) {
   myObject = loadObject();

Using the typeof function is also an option as it returns the type of the object provided. However, it will return null or undefined if the object has not been loaded so it might boil down a bit to personal preference in regards to readability.


How can I catch AWT thread exceptions in Java?

We’d like a trace in our application logs of these exceptions – by default Java just outputs them to the console.


There is a distinction between uncaught exceptions in the EDT and outside the EDT.

Another question has a solution for both but if you want just the EDT portion chewed up…

class AWTExceptionHandler {

  public void handle(Throwable t) {
    try {
      // insert your exception handling code here
      // or do nothing to make it go away
    } catch (Throwable t) {
      // don't let the exception get thrown out, will cause infinite looping!

  public static void registerExceptionHandler() {
    System.setProperty('sun.awt.exception.handler', AWTExceptionHandler.class.getName())
Source: stackoverflow
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Privacy Policy, and Copyright Policy. Content is available under CC BY-SA 3.0 unless otherwise noted. The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 © No Copyrights, All Questions are retrived from public domain..