{"id":13401594,"url":"https://github.com/pmd/pmd","last_synced_at":"2025-09-09T20:52:38.878Z","repository":{"id":37444669,"uuid":"4992906","full_name":"pmd/pmd","owner":"pmd","description":"An extensible multilanguage static code analyzer.","archived":false,"fork":false,"pushed_at":"2025-09-01T04:31:03.000Z","size":535708,"stargazers_count":5190,"open_issues_count":642,"forks_count":1528,"subscribers_count":136,"default_branch":"main","last_synced_at":"2025-09-01T06:50:56.507Z","etag":null,"topics":["apex","code-analysis","code-quality","hacktoberfest","java","linter","plsql","static-analysis","static-code-analysis","swift"],"latest_commit_sha":null,"homepage":"https://pmd.github.io","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pmd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"pmd","open_collective":"pmd"}},"created_at":"2012-07-11T18:03:00.000Z","updated_at":"2025-08-28T12:15:42.000Z","dependencies_parsed_at":"2023-09-23T07:06:23.842Z","dependency_job_id":"b6664dce-2c6e-40b7-8c44-6c9ba9d2424c","html_url":"https://github.com/pmd/pmd","commit_stats":{"total_commits":23725,"total_committers":432,"mean_commits":54.91898148148148,"dds":0.764172813487882,"last_synced_commit":"3ed370f61d0579e33cf50852c2c59eeb9e94ae34"},"previous_names":[],"tags_count":134,"template":false,"template_full_name":null,"purl":"pkg:github/pmd/pmd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pmd","download_url":"https://codeload.github.com/pmd/pmd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmd%2Fpmd/sbom","scorecard":{"id":287892,"data":{"date":"2025-08-11","repo":{"name":"github.com/pmd/pmd","commit":"485db23ef0419385a0aa4ea075066fb001973f9d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.9,"checks":[{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":5,"reason":"Found 6/12 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: untrusted code checkout '${{ github.event.workflow_run.head_branch }}': .github/workflows/publish-release.yml:625","Warn: untrusted code checkout '${{ github.event.workflow_run.head_branch }}': .github/workflows/publish-release.yml:34","Warn: untrusted code checkout '${{ github.event.workflow_run.head_branch }}': .github/workflows/publish-release.yml:88"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:19"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish-snapshot.yml:414","Warn: no topLevel permission defined: .github/workflows/build-pr.yml:1","Warn: no topLevel permission defined: .github/workflows/build-release.yml:1","Warn: no topLevel permission defined: .github/workflows/build-snapshot.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/git-repo-sync.yml:13","Info: found token with 'none' permissions: .github/workflows/publish-pull-requests.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-release.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish-snapshot.yml:12"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: pmd-dist-7.17.0-SNAPSHOT-bin.zip.asc: https://github.com/pmd/pmd/releases/tag/pmd_releases/7.17.0-SNAPSHOT","Info: signed release artifact: pmd-dist-7.16.0-bin.zip.asc: https://github.com/pmd/pmd/releases/tag/pmd_releases/7.16.0","Info: signed release artifact: pmd-dist-7.15.0-bin.zip.asc: https://github.com/pmd/pmd/releases/tag/pmd_releases/7.15.0","Info: signed release artifact: pmd-dist-7.14.0-bin.zip.asc: https://github.com/pmd/pmd/releases/tag/pmd_releases/7.14.0","Info: signed release artifact: pmd-dist-7.13.0-bin.zip.asc: https://github.com/pmd/pmd/releases/tag/pmd_releases/7.13.0","Warn: release artifact pmd_releases/7.17.0-SNAPSHOT does not have provenance: https://api.github.com/repos/pmd/pmd/releases/236495404","Warn: release artifact pmd_releases/7.16.0 does not have provenance: https://api.github.com/repos/pmd/pmd/releases/235084217","Warn: release artifact pmd_releases/7.15.0 does not have provenance: https://api.github.com/repos/pmd/pmd/releases/228354836","Warn: release artifact pmd_releases/7.14.0 does not have provenance: https://api.github.com/repos/pmd/pmd/releases/222134327","Warn: release artifact pmd_releases/7.13.0 does not have provenance: https://api.github.com/repos/pmd/pmd/releases/214725224"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: containerImage not pinned by hash: docs/Dockerfile:1: pin your Docker image by updating ruby:2.4.2 to ruby:2.4.2@sha256:7271d0cd55da37b6f28924c9452871d77e828c4d38ef3438cfc179388209e51f","Info:  80 out of  80 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: Sonar","Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T17:38:17.424Z","repository_id":37444669,"created_at":"2025-08-17T17:38:17.424Z","updated_at":"2025-08-17T17:38:17.424Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274359998,"owners_count":25270896,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-09T02:00:10.223Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apex","code-analysis","code-quality","hacktoberfest","java","linter","plsql","static-analysis","static-code-analysis","swift"],"created_at":"2024-07-30T19:01:04.511Z","updated_at":"2025-10-14T12:09:55.753Z","avatar_url":"https://github.com/pmd.png","language":"Java","funding_links":["https://github.com/sponsors/pmd","https://opencollective.com/pmd","https://opencollective.com/pmd/contribute"],"categories":["Java","Android","Projects","项目","Tool","静态分析","V. Tools for developing","四、测试与代码质量","Solutions","Code Analysis"],"sub_categories":["Tools","Code Analysis","代码分析","Common Utils/Code Quality","4. Code Analysis","2. 代码质量分析"],"readme":"# PMD - source code analyzer\n\n![PMD Logo](https://raw.githubusercontent.com/pmd/pmd/main/docs/images/logo/pmd-logo-300px.png)\n\n[![Join the chat](https://img.shields.io/gitter/room/pmd/pmd)](https://app.gitter.im/#/room/#pmd_pmd:gitter.im?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n[![Build Snapshot](https://github.com/pmd/pmd/actions/workflows/build-snapshot.yml/badge.svg?branch=main)](https://github.com/pmd/pmd/actions/workflows/build-snapshot.yml)\n[![Maven Central](https://maven-badges.herokuapp.com/maven-central/net.sourceforge.pmd/pmd/badge.svg)](https://maven-badges.herokuapp.com/maven-central/net.sourceforge.pmd/pmd)\n[![Reproducible Builds](https://img.shields.io/badge/Reproducible_Builds-ok-green?labelColor=blue)](https://github.com/jvm-repo-rebuild/reproducible-central/tree/master/content/net/sourceforge/pmd#readme)\n[![Coverage Status](https://coveralls.io/repos/github/pmd/pmd/badge.svg?branch=main\u0026v=1)](https://coveralls.io/github/pmd/pmd?branch=main)\n[![Codacy Badge](https://app.codacy.com/project/badge/Grade/ea550046a02344ec850553476c4aa2ca)](https://app.codacy.com/organizations/gh/pmd/dashboard)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](code_of_conduct.md) \n[![Documentation (latest)](https://img.shields.io/badge/docs-latest-green)](https://docs.pmd-code.org/latest/)\n[![Gurubase](https://img.shields.io/badge/Gurubase-Ask%20PMD%20Guru-006BFF)](https://gurubase.io/g/pmd)\n[![Docker Image Version](https://img.shields.io/docker/v/pmdcode/pmd?sort=semver\u0026label=Docker)](https://hub.docker.com/r/pmdcode/pmd)\n\n**PMD** is an extensible multilanguage static code analyzer. It finds common programming flaws like unused variables,\nempty catch blocks, unnecessary object creation, and so forth. It's mainly concerned with **Java and\nApex**, but **supports 16 other languages**. It comes with **400+ built-in rules**. It can be\nextended with custom rules. It uses JavaCC and Antlr to parse source files into abstract syntax trees\n(AST) and runs rules against them to find violations. Rules can be written in Java or using a XPath query.\n\nCurrently, PMD supports Java, JavaScript, Salesforce.com Apex and Visualforce,\nKotlin, Swift, Modelica, PL/SQL, Apache Velocity, JSP, WSDL, Maven POM, HTML, XML and XSL.\nScala is supported, but there are currently no Scala rules available.\n\nAdditionally, it includes **CPD**, the copy-paste-detector. CPD finds duplicated code in\nCoco, C/C++, C#, CSS, Dart, Fortran, Gherkin, Go, Groovy, HTML, Java, JavaScript, JSP, Julia, Kotlin,\nLua, Matlab, Modelica, Objective-C, Perl, PHP, PL/SQL, Python, Ruby, Salesforce.com Apex and\nVisualforce, Scala, Swift, T-SQL, Typescript, Apache Velocity, WSDL, XML and XSL.\n\n## 🚀 Installation and Usage\n\nDownload the latest binary zip from the [releases](https://github.com/pmd/pmd/releases/latest)\nand extract it somewhere.\n\nExecute `bin/pmd check` or `bin\\pmd.bat check`.\n\nSee also [Getting Started](https://docs.pmd-code.org/latest/pmd_userdocs_installation.html)\n\n**Demo:**\n\nThis shows how PMD analyses [openjdk](https://github.com/openjdk/jdk):\n\n![Demo](docs/images/userdocs/pmd-demo.gif)\n\nThere are plugins for Maven and Gradle as well as for various IDEs.\nSee [Tools / Integrations](https://docs.pmd-code.org/latest/pmd_userdocs_tools.html)\n\n## ℹ️ How to get support?\n\n*   How do I? -- Ask a question on [StackOverflow](https://stackoverflow.com/questions/tagged/pmd)\n    or on [discussions](https://github.com/pmd/pmd/discussions).\n*   I got this error, why? -- Ask a question on [StackOverflow](https://stackoverflow.com/questions/tagged/pmd)\n    or on [discussions](https://github.com/pmd/pmd/discussions).\n*   I got this error and I'm sure it's a bug -- file an [issue](https://github.com/pmd/pmd/issues).\n*   I have an idea/request/question -- create a new [discussion](https://github.com/pmd/pmd/discussions).\n*   I have a quick question -- ask in our [Gitter room](https://app.gitter.im/#/room/#pmd_pmd:gitter.im)\n    or our [PMD Guru at Gurubase](https://gurubase.io/g/pmd).\n*   Where's your documentation? -- \u003chttps://docs.pmd-code.org/latest/\u003e\n\n## 🤝 Contributing\n\nPull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.\n\nOur latest source of PMD can be found on [GitHub](https://github.com/pmd/pmd). Fork us!\n\nFor details, see [How to contribute to PMD](https://docs.pmd-code.org/latest/pmd_devdocs_contributing.html).\n\nThe rule designer is developed over at [pmd/pmd-designer](https://github.com/pmd/pmd-designer).\nPlease see [its README](https://github.com/pmd/pmd-designer#contributing) for\ndeveloper documentation.\n\n## 💵 Financial Contributors\n\nBecome a financial contributor and help us sustain our community. [Contribute](https://opencollective.com/pmd/contribute)\n\n## ✨ Contributors\n\nThis project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification.\nContributions of any kind welcome!\n\nSee [credits](docs/pages/pmd/projectdocs/credits.md) for the complete list.\n\n## 📝 License\n\n[BSD Style](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmd%2Fpmd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpmd%2Fpmd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmd%2Fpmd/lists"}