Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
core more findbugs Mar 24, 2016
maven-plugin-it added multiple parsers and maven plugin Mar 15, 2016
.gitignore Add eclipse and maven files to .gitignore Jul 28, 2013 readme Jul 20, 2015
ideas.txt more findbugs Mar 24, 2016
pom.xml added multiple parsers and maven plugin Mar 15, 2016


BUGBY (from "Bug by example") is a new approach to static code analysis for Java. Static code analysis has been arround for several years now. Tools like Findbugs or PMD exist for a while and they found their important audience within the Java developers community.

Findbugs has around 400 bug definitions and PMD around 350. So it's like saying that out of the infinite possibilities to write Java code, out of the billions of billions of lines of Java code written around the world, only less than 800 combinations exist that can lead to bugs, all the rest are perfectly safe!

My believe is that the number of bug definitions must be much, much higher than 800. It's true that not everybody uses tools for static code analysis (I don't have a real statistics here). But the probable reason that the number of existing bug definitions is so low is that it's quite hard to write new rules using these tools.

The teams should invest in these rules like they do in unit tests. But the cool thing about these rules is that once they apply to a project, they actually apply to all the projects written with the same libraries. So it's like writing unit tests for future code (even more powerful than TDD!)

Have a look for example at this Findbugs definition source or this PMD definition source. Of course there are shorter definitions that you can find in their repositories. PMD even introduced a XPATH-like language, that this becomes also quite complex for more difficult rules.

As their scope sometimes overlaps, it's quite unclear if you need both Findbugs or PMD or in which situation you should use one or the other. But in fact it's quite easy to figure this out if you know how the two tools do thier job. Findbugs uses bytecode access, so it can detect bugs when more classes are involved. But it's very hard to write complex rules. PMD uses the code's AST, but it's harder to detect bugs involving more than one class.

Bugby uses Java code itself to define the patterns, almost like copying and pasting the code that contains the bug's definition. This way you can define very complex patterns without learning a new language, nor having to play with the hard-to-understand binary code API used by Findbugs.

What you need to learn is a dozen of annotations and a dozen of constructions that will help you to create powerful patterns that will not yield false positives.

In case the available wildcards are not enough, more advanced user can still create new wildcards using the standard Java Compiler Tree API.

Some Examples

Here is an example that corresponds to PMD: Don't call thread run. This pattern also detects cases when the threads comes from a method call or from a collection or a field, which the PMD rule does not.

public class DontCallThreadRun {
	public void someCode() {

Here is another one where in PMD the XPath language cannot express the rule:

public class DoubleCheckedLocking {
	SomeType field;

	public SomeType method() {
		if (field == null) { // someField may be non-null yet not fully created
			synchronized (this) {
				if (field == null) {
					field = someValue();
		return field;

Here is a rule that corresponds to the Findbugs rule EQ_COMPARETO_USE_OBJECT_EQUALS:

public class CompareToUseObjectEquals implements Comparable<Object> {
	public int compareTo(Object obj) {
		return someIntValue();

	public boolean equals(Object obj) {
		return someBooleanValue();

The Plan

Here's the list of what Bugby intends to offer:

  • Rich wildcard and pattern API
  • The definition of more than 90% of existing Findbugs and PMD rules written using the API
  • A Maven plugin to easily execute the rules on an existing project
  • A mechanism to easily provide new rules along with a Maven library

The plan is to provide all this by the end of 2015.

Once this is done, you should normally safely replace your Findbugs and PMD rules with Bugby rules. And then start adding new rules like creating future-proof unit tests.

Read below details about these ideas.

Adding rules using Maven dependency mechanism

Some of the rules provided by PMD or Findbugs refer to JUnit for example. If you don't use JUnit, what's the point of running those rules?

One goal is to easly include rules defined by third-party, like any other artifacts.

The idea is to provide a way to have rules specific to a Maven library that will detect at compile time misusage of this library. When compiling a project, the Bugby Maven plugin will put together all the default rules and also the rules coming from used libraries.


If you believe this project may fit your current or future needs drop me an email at You're more than welcome if you can help with the development of this tool!

You can’t perform that action at this time.