I have recently discovered this nice Eclipse plugin here:

http://code.google.com/p/alvor/

It evaluates String, StringBuilder, StringBuffer, CharSequence and many other types passed to JDBC method for subsequent execution. It doesn’t do a bad job at this, even if it is in beta mode. The rate of false positives that I have experienced is around 20% for regular SQL statements, and 100% for stored procedure calls (which seem not to be supported). Checks include:

Syntax correctness

Semantics correctness

Object availability

It does so by

Comparing SQL against its own internal SQL grammar

Checking SQL statements against an actual database (provided a JDBC driver, JDBC URL, user, password)

This is extremely powerful, as it can find common bugs resulting from bad SQL string concatenation, misspelled table / column names, type mismatches, etc. With findbugs’ capabilities of analysing control flows, this could be made even better to detect even remote corner-cases or SQL passed to methods for the concatenation of sub-clauses and sub-selects. An example screenshot is given on their website:

Check out Alvor for yourself here:

http://code.google.com/p/alvor/

Note, I have also posted a request to the FindBugs mailing list here:

https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2012-September/003634.html

Static SQL analysis of this sort would be a great addition to FindBugs. If you think so, too, please support my request on the FindBugs mailing list