This document describes each static analysis tool integrated into the Clean Code plugin, the rules it detects, and how each rule maps to a Clean Code heuristic. Every finding preserves provenance: the tool field identifies the source and ruleRef names the specific rule.
For full heuristic descriptions see HEURISTICS.md.
Checkstyle enforces coding conventions and formatting. The plugin bundles a default configuration if the project has none.
Tool version: 10.21.4
| Rule | Heuristic | Severity | Confidence | Documentation |
|---|---|---|---|---|
| AnonInnerLength | G30 | WARNING | MEDIUM | link |
| AvoidStarImport | J1 | WARNING | HIGH | link |
| EmptyBlock | G4 | WARNING | HIGH | link |
| EmptyLineSeparator | G10 | WARNING | MEDIUM | link |
| FileLength | Ch10.1 | WARNING | MEDIUM | link |
| FinalLocalVariable | G22 | WARNING | HIGH | link |
| HideUtilityClassConstructor | G18 | WARNING | HIGH | link |
| IllegalImport | G12 | WARNING | HIGH | link |
| InterfaceIsType | J2 | WARNING | HIGH | link |
| LeftCurly | G24 | WARNING | HIGH | link |
| LineLength | G24 | INFO | HIGH | link |
| LocalVariableName | N1 | WARNING | MEDIUM | link |
| MagicNumber | G25 | WARNING | HIGH | link |
| MethodLength | G30 | WARNING | MEDIUM | link |
| MethodName | N1 | WARNING | MEDIUM | link |
| NeedBraces | G24 | WARNING | MEDIUM | link |
| OneTopLevelClass | G12 | WARNING | HIGH | link |
| ParameterNumber | F1 | WARNING | HIGH | link |
| RedundantImport | G12 | INFO | HIGH | link |
| RightCurly | G24 | WARNING | HIGH | link |
| SimplifyBooleanExpression | G28 | WARNING | HIGH | link |
| SimplifyBooleanReturn | G28 | WARNING | HIGH | link |
| TypeName | N1 | WARNING | MEDIUM | link |
| UnusedImports | G12 | INFO | HIGH | link |
| VisibilityModifier | G8 | WARNING | MEDIUM | link |
| WhitespaceAround | G24 | WARNING | HIGH | link |
PMD detects common programming flaws including dead code, empty blocks, overcomplicated expressions, and coding style issues.
Tool version: 7.9.0
| Rule | Heuristic | Severity | Confidence | Documentation |
|---|---|---|---|---|
| AvoidConstantsInterface | J2 | WARNING | HIGH | link |
| AvoidReassigningParameters | G22 | WARNING | HIGH | link |
| CloseResource | G4 | WARNING | MEDIUM | link |
| CommentedOutCodeLine | C5 | WARNING | HIGH | link |
| CouplingBetweenObjects | G8 | WARNING | MEDIUM | link |
| CyclomaticComplexity | G30 | WARNING | MEDIUM | link |
| DataClass | G17 | INFO | LOW | link |
| EmptyCatchBlock | G4 | ERROR | HIGH | link |
| EmptyIfStmt | G12 | WARNING | HIGH | link |
| ExcessiveMethodLength | G30 | WARNING | MEDIUM | link |
| ExcessivePublicCount | G8 | WARNING | HIGH | link |
| GodClass | G8 | ERROR | MEDIUM | link |
| LooseCoupling | G8 | WARNING | MEDIUM | link |
| NPathComplexity | G30 | WARNING | MEDIUM | link |
| SwitchStmtsShouldHaveDefault | G23 | INFO | MEDIUM | link |
| TooManyFields | G8 | WARNING | MEDIUM | link |
| TooManyMethods | G8 | WARNING | MEDIUM | link |
| UnusedImports | G12 | INFO | HIGH | link |
| UnusedLocalVariable | G9 | INFO | HIGH | link |
| UnusedPrivateMethod | F4 | WARNING | HIGH | link |
| UseLocaleWithCaseConversions | G26 | WARNING | HIGH | link |
SpotBugs performs bytecode analysis to find bug patterns, null pointer risks, and concurrency issues.
Tool version: 4.9.3
| Bug Pattern | Heuristic | Severity | Confidence | Documentation |
|---|---|---|---|---|
| BAD_PRACTICE/BC_UNCONFIRMED_CAST | G4 | WARNING | HIGH | link |
| BAD_PRACTICE/CT_CONSTRUCTOR_THROW | G4 | WARNING | MEDIUM | link |
| BAD_PRACTICE/DE_MIGHT_IGNORE | G4 | ERROR | HIGH | link |
| BAD_PRACTICE/DM_DEFAULT_ENCODING | G26 | WARNING | HIGH | link |
| BAD_PRACTICE/EQ_COMPARETO_USE_OBJECT_EQUALS | G11 | WARNING | HIGH | link |
| BAD_PRACTICE/ES_COMPARING_STRINGS_WITH_EQ | G26 | WARNING | HIGH | link |
| BAD_PRACTICE/HE_EQUALS_NO_HASHCODE | G11 | WARNING | HIGH | link |
| BAD_PRACTICE/NP_NULL_PARAM_DEREF | Ch7.2 | ERROR | HIGH | link |
| BAD_PRACTICE/OS_OPEN_STREAM | G4 | WARNING | HIGH | link |
| BAD_PRACTICE/RV_RETURN_VALUE_IGNORED_BAD_PRACTICE | G4 | WARNING | HIGH | link |
| BAD_PRACTICE/ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD | G18 | WARNING | HIGH | link |
| CORRECTNESS/NP_ALWAYS_NULL | Ch7.2 | ERROR | HIGH | link |
| CORRECTNESS/NP_NULL_ON_SOME_PATH | Ch7.2 | ERROR | HIGH | link |
| CORRECTNESS/RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION | G4 | ERROR | HIGH | link |
| CORRECTNESS/RV_RETURN_VALUE_IGNORED | G4 | WARNING | HIGH | link |
| MALICIOUS_CODE/EI_EXPOSE_REP | G8 | WARNING | HIGH | link |
| MALICIOUS_CODE/EI_EXPOSE_REP2 | G8 | WARNING | HIGH | link |
| MALICIOUS_CODE/MS_MUTABLE_ARRAY | G8 | WARNING | HIGH | link |
| MALICIOUS_CODE/MS_MUTABLE_COLLECTION_PKGPROTECT | G8 | WARNING | HIGH | link |
| MALICIOUS_CODE/MS_SHOULD_BE_FINAL | G22 | WARNING | HIGH | link |
| PERFORMANCE/DM_BOXED_PRIMITIVE_FOR_COMPARE | G26 | INFO | HIGH | link |
| PERFORMANCE/DM_NUMBER_CTOR | G26 | INFO | HIGH | link |
| PERFORMANCE/SIC_INNER_SHOULD_BE_STATIC | G18 | WARNING | HIGH | link |
| PERFORMANCE/SS_SHOULD_BE_STATIC | G18 | WARNING | MEDIUM | link |
| PERFORMANCE/UUF_UNUSED_FIELD | G9 | INFO | HIGH | link |
| PERFORMANCE/WMI_WRONG_MAP_ITERATOR | G30 | INFO | HIGH | link |
| STYLE/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE | G4 | WARNING | MEDIUM | link |
| STYLE/DB_DUPLICATE_BRANCHES | G5 | WARNING | HIGH | link |
| STYLE/DLS_DEAD_LOCAL_STORE | G9 | INFO | HIGH | link |
| STYLE/EQ_DOESNT_OVERRIDE_EQUALS | G11 | WARNING | HIGH | link |
| STYLE/NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE | Ch7.2 | WARNING | HIGH | link |
| STYLE/RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE | Ch7.2 | WARNING | HIGH | link |
| STYLE/RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE | Ch7.2 | ERROR | HIGH | link |
| STYLE/SF_SWITCH_NO_DEFAULT | G23 | INFO | MEDIUM | link |
| STYLE/UC_USELESS_CONDITION | G9 | WARNING | HIGH | link |
| STYLE/URF_UNREAD_FIELD | G9 | INFO | HIGH | link |
Category fallback: Any CORRECTNESS bug not listed above maps to G4 at ERROR severity.
CPD detects duplicated code blocks using token-based analysis.
Tool version: 7.9.0 (bundled with PMD)
| Detection | Heuristic | Severity | Confidence |
|---|---|---|---|
| Token-based duplication | G5 | INFO (below threshold), WARNING (above) | HIGH |
Configurable via cleanCode.thresholds.cpdMinimumTokens (default: 50).
JaCoCo measures test coverage at the line and branch level.
Tool version: 0.8.12
| Detection | Heuristic | Severity | Confidence |
|---|---|---|---|
| Overall line coverage below threshold | T1 | ERROR (< 50%), INFO (>= 50%) | HIGH |
| Per-class coverage gaps | T8 | WARNING | MEDIUM |
| JaCoCo report present | T2 | INFO | HIGH |
Parses JUnit XML test results from build/test-results/test/. Despite the name, this adapter reads Gradle's JUnit XML output (same format as Maven Surefire).
| Detection | Heuristic | Severity | Confidence |
|---|---|---|---|
| Skipped test | T3 | INFO | HIGH |
| Slow test (> 5s) | T9 | WARNING | HIGH |
| Very slow test (> 30s) | T9 | ERROR | HIGH |
| High skip percentage (> 10%) | T3 | WARNING | HIGH |
gradle-versions-plugin reports outdated dependencies. This is an opt-in source: the plugin checks for the dependencyUpdates task at configuration time and wires it into analyseCleanCode only if present.
| Detection | Heuristic | Severity | Confidence |
|---|---|---|---|
| Outdated dependency | E1 | INFO | HIGH |
40 custom OpenRewrite ScanningRecipe implementations that detect Clean Code patterns via AST analysis.
Tool version: 8.40.2
Important: Requires JDK 21. See README.md for details.
See HEURISTICS.md for the full list of recipes and which heuristic each detects. Recipes are configurable via cleanCode.thresholds and individually disableable via cleanCode.disabledRecipes.
Uses the Claude API to assess source files for subjective Clean Code heuristics that require semantic understanding beyond what static analysis can detect. This is an opt-in source: it only runs when the ANTHROPIC_API_KEY environment variable is set.
Default model: claude-sonnet-4-6
Confidence: Always LOW — LLM assessments are non-deterministic and advisory.
| Code | Heuristic | What Claude assesses |
|---|---|---|
| C2 | Obsolete Comment | Comments that no longer match the code they describe |
| G6 | Code at Wrong Level of Abstraction | Methods or fields that belong in a different class |
| G7 | Base Classes Depending on Derivatives | Base classes that import or reference subclasses |
| G13 | Artificial Coupling | Classes coupled for no structural reason |
| G15 | Selector Arguments | Boolean/enum/string params that select behaviour |
| G20 | Function Names Should Say What They Do | Methods whose names don't communicate intent |
| G31 | Hidden Temporal Couplings | Operations that must be called in order but don't enforce it |
| N4 | Unambiguous Names | Names that could refer to multiple things |
cleanCode {
claudeReview {
enabled.set(true) // default: true (gated on API key)
model.set("claude-sonnet-4-6") // default
maxFilesPerRun.set(50) // default — caps API usage per build
minFileLines.set(10) // default — skip trivial files
codes.set(listOf("G6", "G7", "G13", "G15", "G20", "G31", "C2", "N4"))
excludePatterns.set(listOf("**/generated/**"))
}
}Results are cached by SHA-256 of file content + enabled codes in build/claude-review-cache/. Unchanged files skip the API call entirely. Run ./gradlew clean to clear the cache.
Each finding includes tool: "claude-review" and metadata.model identifying which Claude model produced it.