RealTime IT News

FindBugs Finds Fortify

With over 200,000 downloads to date, the open source FindBugs project is already a reasonably popular Java bug-hunting tool, but it hasn't found its way into large enterprise deployments. Not yet anyway.

Thanks to a new sponsorship and bundling effort with Fortify Software, that may well be about to change.

The FindBugs project is run out of the University of Maryland by Professor William Pugh. Pugh explained to internetnews.com that the general idea behind FindBugs is to identify bug patterns in Java and to identify the things the developers are doing wrong in their code.

Until recently, the FindBugs project had been a mostly academic effort. But last year, the Ph.D. student that was doing the development for the FindBugs project as part of a grad thesis graduated.

Pugh was concerned about how to continue the project since there were likely few additional research paper possibilities from the project and, as such, unlikely that another student could pick up the work.

That's where Fortify comes in. Fortify is now going to sponsor the project as well as integrate FindBugs into its commercial product.

Fortify is a commercial software developer with its own source code analysis framework that looks for code vulnerabilities among other flaws. Barmak Meftah, vice president of engineering and operations at Fortify, explained that the FindBugs project is a body of open source that is completely aligned with what Fortify does.

"Our main objective is really for the good of the software development community out there," Meftah said. "Here's a piece of code that's been widely adopted; the install base is huge. Why not support and enhance it?"

Fortify is not contributing any source code or intellectual property to FindBugs. Fortify's enterprise user base is expected to be a ripe proving ground for FindBugs that Pugh hopes will yield much feedback that will help the project.

Pugh noted that the Fortify sponsorship gives FindBugs the support it needs to be a tool that continues to improve and be supported, as well as provides the ability to get feedback from more industrial-strength users.

"The thing that was interesting to us is how many really stupid bugs exist in production code," Pugh said.

Pugh said a favorite of his errors that FindBugs has detected is a particular method that, if it is ever invoked, will invoke itself again in an infinite recursive loop.

"You find methods like this, -- one-line methods that do nothing but call themselves -- and you wonder how this actually happened," Pugh said. "In Sun's JDK we found five of them. JBoss, Websphere, Eclispse they all have numerous examples of this particular bug."

Fortify's software will invoke FindBugs as a plug-in, which from a legal point of view is possible, thanks to the LGPL (Lesser GNU General Public License) where FindBugs is available.

LGPL allows for commercial libraries to be linked against it, which is something that isn't always possible with the GPL .

"We definitely don't want to go to GPL because I think that's too limited to people that might want to do various tings with it," Pugh explained. "If anything the discussion has been 'Do we want to move to a looser open source license?"

Pugh wants more commercial usage of FindBugs, and that's where the GPL may present a problem.

"There are all sorts of issues that I don't entirely understand with the GPL about what happens with plug-ins," Pugh said. "Certainly we don't want people to think because they're using the FindBugs plug-in that they have to GPL-license their own code.

"We want to allow FindBugs to be used within commercial code-sourced tools."

FindBugs is expected to release its 1.0 version, in a week or so according to Pugh. The 1.0 version will mark a significant milestone for the project.

"The main thing is that we have now moved beyond the stage where this is an academic project," Pugh said. "I think that with 1.0 we can now say that this is something that is useful and has real support."