PMD — Extensible Multilanguage Static Code Analyzer

Introduction

PMD scans source code to find common programming flaws such as unused variables, empty catch blocks, unnecessary object creation, and overly complex methods. It supports Java, Kotlin, Swift, Apex, Visualforce, XML, and several other languages through a pluggable language module system.

What PMD Does

• Detects code smells, potential bugs, and dead code across multiple languages
• Includes the Copy/Paste Detector (CPD) for finding duplicated code blocks
• Ships with hundreds of built-in rules organized by category
• Supports custom rules written in Java or defined via XPath expressions
• Produces reports in XML, HTML, CSV, SARIF, and text formats

Architecture Overview

PMD parses source files into language-specific ASTs using JavaCC-based parsers. Each rule is a visitor that traverses the AST and reports violations. Rules can also be written as XPath expressions that query the AST directly. The CPD module tokenizes source files and uses a suffix-tree algorithm to detect duplicate sequences. A unified CLI orchestrates file discovery, language detection, and rule execution.

Self-Hosting & Configuration

• Download the binary distribution from GitHub releases or install via Homebrew
• Integrate with Maven using the maven-pmd-plugin or Gradle using the built-in PMD plugin
• Create a custom ruleset XML file referencing individual rules or entire categories
• Use suppression annotations (@SuppressWarnings("PMD.RuleName")) for acceptable violations
• Configure CPD minimum token count to control duplicate detection sensitivity

Key Features

• Multilanguage support: Java, Kotlin, Swift, Apex, JavaScript, XML, and more
• Built-in Copy/Paste Detector (CPD) for finding duplicated code across the codebase
• XPath-based custom rules that require no Java coding
• Incremental analysis mode that caches results for unchanged files
• SARIF output for GitHub code scanning and IDE integration

Comparison with Similar Tools

• Checkstyle — enforces formatting and naming conventions; PMD focuses on code smells and bug patterns
• SpotBugs — analyzes compiled bytecode; PMD works on source code and supports multiple languages
• Error Prone — catches bugs at Java compile time; PMD runs as a separate analysis step with broader language coverage
• SonarQube — a full platform with history and dashboards; PMD is a lightweight CLI tool

FAQ

Q: What languages does PMD support? A: Java, Kotlin, Swift, Apex, Visualforce, JavaScript, XML, XSL, Modelica, and PLSQL, with more available through community plugins.

Q: How do I find duplicated code with PMD? A: Use the CPD command: pmd cpd --minimum-tokens 100 --dir src/ --language java. It reports all code blocks with at least 100 matching tokens.

Q: Can I write rules without Java code? A: Yes. PMD supports XPath-based rules that query the AST using XPath expressions defined in a ruleset XML file.

Q: How do I integrate PMD with GitHub Actions? A: Run PMD with SARIF output (-f sarif) and upload the results with the github/codeql-action/upload-sarif action.

Sources

• https://github.com/pmd/pmd
• https://pmd.github.io/