Static analysis tools may find code smell. But sometimes some trivial smells are not detected. For instance when you compile with Java 6.0 or Eclipse 3.4, FindBugs v1.3.8 will not find anything suspicious in this method:
public String testStringBuilder( final String what, final int times ) { String result = ""; for ( int i = 0; i < times; i++ ) result += what; return result; }
But the SBSC_USE_STRINGBUFFER_CONCATENATION (Method concatenates strings using + in a loop) should be detected. Why it doesn't work? FindBugs works on bytecode, take a look at decompiled bytecode generated by Java 6 or Eclipse:
String result = ""; for(int i = 0; i < times; i++) result = (new StringBuilder(String.valueOf(result))).append(what).toString(); return result;
Bytecode generated from Java 5 is different (peculiar, why they did not used StringBuilder(String s) when it was present in Java 5?), FindBugs recognizes the pattern:
String s1 = ""; for(int j = 0; j < i; j++) s1 = (new StringBuilder()).append(s1).append(s).toString(); return s1;
A bug was reported.