RealTime IT News

Find Bugs in Your Java For Free

Finding bugs in your Java source code is now easier than ever thanks to the Java Open Review Project (JOR), a joint effort by the FindBugs open source project and security vendor Fortify.

So far the JOR initiative, which provides free code analysis and audits for the open source community, has analyzed 10 of the most popular open source Java applications and it's got plans to analyze a lot more.

Fortify's Secure Code Analysis helps by looking for security flaws that FindBugs does not. Fortify began sponsoring the Findbugs project earlier this year.

The first 10 projects JOR analyzed Azureus, Lucene, Solr, Webgoat, Zimbra, Hyperic, Nutch, Tomcat, Roller and Java Petstore 2.0 and. The results of the review are available online where project administrators can drill down to see what bugs JOR has found.

Common defects discovered by the JOR scanning have included Null Pointers, which could potentially crash an application and a number of cross-site scripting vulnerabilities.

There are a number of reasons bugs find their way into Java code, and the use of IDEs may well be contributing to the bug count.

University of Maryland computer science Professor William Pugh runs the FindBugs project and noted that any open source project could take FindBugs and run it against their own code.

"It's still the case where there are a lot of projects that haven't bought into the idea that static analysis can actually help them find bugs," Pugh told internetnews.com. "So we want to make it as easy as possible for for them to see the benefit."

Pugh explained that there are two types of mistakes that happen in Java coding.

"One of them is typo things where the coder knew what they wanted to do, they had the right idea but when they typed it they hit the wrong key or forgot something silly," Pugh said. "You also have cases where people don't understand how to handle a particular API."

The other less obvious item that may well be the cause of some mistake could be the IDE (integrated development environment) that coders are using.

Two of the most popular open source Java IDEs are Eclipse and Sun's NetBeans. According to Pugh, the JOR effort did not count errors based on the IDE used. But Pugh did admit that Findbugs has found a lot of bugs in both Eclipse and NetBeans.

"Sometimes I wonder whether some of the errors we find might be a result of auto-completion getting a little ahead of itself," Pugh said. "In a number of cases I suspect that is what happens."

That's not to say that the IDEs don't have their place. Both NetBeans and Eclipse have ongoing efforts for modules or plug-ins that help to improve code quality and error detection.

"IDEs have a huge amount of value," Pugh said. "I know programs with an IDE and I would never go back to using a text editor. But I don't think their primary value has to do with finding the sort of defects that we find."

Coders can submit their code for analysis by the JOR project at here.