I have recently discovered this nice Eclipse plugin here:
http://code.google.com/p/alvor/
It evaluates String, StringBuilder, StringBuffer, CharSequence and many other types passed to JDBC method for subsequent execution. It doesn’t do a bad job at this, even if it is in beta mode. The rate of false positives that I have experienced is around 20% for regular SQL statements, and 100% for stored procedure calls (which seem not to be supported). Checks include:
- Syntax correctness
- Semantics correctness
- Object availability
It does so by
- Comparing SQL against its own internal SQL grammar
- Checking SQL statements against an actual database (provided a JDBC driver, JDBC URL, user, password)
This is extremely powerful, as it can find common bugs resulting from bad SQL string concatenation, misspelled table / column names, type mismatches, etc. With findbugs’ capabilities of analysing control flows, this could be made even better to detect even remote corner-cases or SQL passed to methods for the concatenation of sub-clauses and sub-selects. An example screenshot is given on their website:
Check out Alvor for yourself here:
http://code.google.com/p/alvor/
Note, I have also posted a request to the FindBugs mailing list here:
https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2012-September/003634.html
Static SQL analysis of this sort would be a great addition to FindBugs. If you think so, too, please support my request on the FindBugs mailing list
