Request A Demo
Back to All Blog Articles

Analyze Source Code Using PMD in FlexDeploy

PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. PMD supports languages such as XML, XSL, Apex,  VM, JavaScript, JSP, Salesforce VisualForce, Maven POM, and Modelica. Source code analysis makes any remediation process faster and easier by pinpointing the exact location of vulnerabilities in program code. The detection isolates the bug, and helps you save time and money in fixing any problems.

In this blog, we’ll cover how to integrate PMD for Java, HTML, and PLSQL into your release pipelines in FlexDeploy. After a quick configuration, you’ll be ready to execute PMD scans as part of your pipeline in FlexDeploy.

Configure the PMD Scan in FlexDeploy

By default, PMD will be installed by FlexDeploy. If you want to work with a different version, Download the PMD installation file. After installation, provide the path in the FlexDeploy configuration screen by going to Topology -> Environments ->Properties. Path configuration is optional if you choose the default PMD version installed by FlexDeploy.

Configure the PMD Scan in FlexDeploy Add a PMD Scan step to your build Workflow. To include the PMD rules evaluation as part of your build process, open a workflow and include the PMD evaluation as a step.

Add a PMD Scan step to your build Workflow.

 You can insert the scan before a build if you are sourcing files from SCM.

Insert the scan before a build if you are sourcing files from SCM.

You have the option to specify a custom rule file(s) on the plugin configuration. This gives you full control over what you want to check and scan in your code. This also eliminates a lot of manual review work. To use a default rule set just select a language on the properties configuration screen. 

To use a default rule set, select a language on the properties configuration screen. 

Execute the PMD Scan

Execute the build manually or using the CI trigger.

Execute the build manually or using the CI trigger.After the build execution completes, errors or non-compliant code from the to-be-deployed package are captured. Summary counts will be displayed on the summary screen, detailed results will be available on the Scan results tab, and the original report generated by PMD will be available on the reports tab. This report can be sent as an email to the desired audience.

 After the build execution completes, errors or non-compliant code from the to-be-deployed package are captured.

The summary of the scan execution will show the count of Critical, High, and Medium results found.

The summary of the scan execution will show the count of Critical, High, and Medium results found.

View the complete information about scan results in the Scan results tab. This report includes information about the severity type, a description of the vulnerability, which scan rule was performed, and in which class with line number the vulnerability was found.

View the complete information about scan results in the Scan results tab.

You can view the full original report in the Reports tab. You can also download the report from this tab.

You can view the full original report in the Reports tab.

Adding a quality gate in your pipeline will take automated action based on the results of a scan. If needed, set the build to fail when critical issues are found or as per your threshold level.

Adding a quality gate in your pipeline will take automated action based on the results of a scan.

Conclusion

The PMD source code analysis toolset helps achieve and enforce industry best practices and makes your code more stable and less vulnerable from a security standpoint. You can seamlessly integrate PMD and other scanning tools into your CI/CD pipeline and drive the DevSecOps journey of your organization using FlexDeploy. This will help deliver high-quality code into production fast.

Speed or Control? We Think Users Should Have Both.

See how FlexDeploy can reduce complexity, improve visibility, and eliminate tool sprawl, with a custom demo.

Related Resources

Mastering Source Control: Streamlining Functional Setup Data Sync with FlexDeploy and Git Integration in Oracle FSM

Effective source control management (SCM) is pivotal in ensuring the seamless tracking and management of functional setup data. In this ...

New in 7.0: Release Work Items

Work item tracking tools play a crucial role in the DevOps process, helping teams plan new features, resolve bugs efficiently, ...

OWASP Scanning in FlexDeploy

If you’ve been looking for a quick scanner that provides insight into the libraries referenced from your builds, chances are ...

Join DevOps leaders across the globe who receive analysis, tips, and trends in their inbox