[piokoch]

Phew, this at least spot some real issue (in some cases System.out.println can make multi-threaded program to get "synchronized" on console acces).

At some point I came across a tool (I think it was white source) that was going through Github page of each library used and was checking if there are no bugs reported.

Obviously very often there were totally bogus tickets, support requests created as bugs, rants as bugs, duplicates of already fixed tickets, etc. so investigating all that crap was really hard.

Another problem was licencing. There are a lot of libraries that have dual licence, e.g. GPL and CDDL, obviously the tool was panicking that GPL is used, not noticing that there is a second "business-friendly" license.

Those static analysis tools are not bad as a concept, however ratio of false positives to real issues found is too large to make them truly useful unless one can invest a lot of resources into tuning them.