Static code analysis analyzes your application statically and provides you with information on classes and methods in your program. This means that static code analysis will analyze your application without having to run the application dynamically. Static code analysis is usually a white-box testing for reporting possible vulnerabilities within the 'static' (non-running) source code. Static code analysis tools are able to automatically find security flaws with a high degree of confidence (true positive), meaning that what is found is indeed a flaw.
Many static code analysis tools have been integrated into IDEs, such as Eclipse, IntelliJ, and Android Studio, such that security vulnerabilities that can be detected during the software development phase, providing immediate feedback to the developers on issues they might be introducing into the code during code development itself. This immediate feedback at the early software development stage is much more efficient and beneficial as compared to finding vulnerabilities in the late stage of development cycle.
SpotBugs is a plugin for the FindBugs (a plugin for IntelliJ API) static code analysis tool. It is an open source static code analyzer which detects for possible bugs in Java programs. It is based on the concept of security vulnerability patterns. This tool provides the developer with insight on the impact or severity of possible vulnerable code. SpotBugs operates on Java bytecode rather than source code. It scans the bytecode for so called bug patterns to find defects and/or suspicious code. Although FindBugs needs the compiled class files, it is not necessary to execute the code for the analysis. This helps to prevent potential security flaws from being executed and released in software. SpotBugs will enhance the security concepts for developers to write more secure code in the future.
However, security threats to Java programs are not static. They are growing and evolving dynamically day by day. Security vulnerability detectors must also change and adapt to overcome and combat the ever changing and evolving security threats. SpotBugs enables the developer to change and adapt to any new potential security threats. Developers can design new custom security vulnerability detectors and new detection rules in SpotBugs to increase the security vulnerability check coverage.