Finding bugs in your Java source code is now easier than ever thanks to the Java
Open Review Project (JOR), a joint effort by the
FindBugs open source project and security vendor Fortify.
So far the JOR initiative, which provides free code analysis and audits for the open source community, has analyzed 10 of the most popular open
source Java applications and it’s got plans to analyze a lot more.
Fortify’s
Secure Code Analysis helps by looking for security flaws that FindBugs does not.
Fortify began sponsoring the Findbugs project earlier this year.
The first 10 projects JOR analyzed Azureus, Lucene, Solr, Webgoat,
Zimbra, Hyperic, Nutch, Tomcat, Roller and Java Petstore 2.0 and. The results of the review are available online where project administrators can drill down to
see what bugs JOR has found.
Common defects discovered by the JOR scanning have included Null Pointers,
which could potentially crash an application and a number of cross-site
scripting vulnerabilities.
There are a number of reasons bugs find their way into Java code, and
the use of IDEs
contributing to the bug count.
University of Maryland computer science Professor William Pugh runs the FindBugs project and
noted that any open source project could take FindBugs and run it against
their own code.
“It’s still the case where there are a lot of projects that haven’t bought
into the idea that static analysis can actually help them find bugs,” Pugh
told internetnews.com. “So we want to make it as easy as possible for
for them to see the benefit.”
Pugh explained that there are two types of mistakes that happen
in Java coding.
“One of them is typo things where the coder knew what they wanted to do, they
had the right idea but when they typed it they hit the wrong key or forgot
something silly,” Pugh said. “You also have cases where people don’t
understand how to handle a particular API.”
The other less obvious item that may well be the cause of some mistake could
be the IDE (integrated development environment) that coders are using.
Two of the most popular open source Java IDEs are Eclipse and Sun’s
NetBeans. According to Pugh, the JOR effort did not count errors based
on the IDE used. But Pugh did admit that Findbugs has found a lot of
bugs in both Eclipse and NetBeans.
“Sometimes I wonder whether some of the errors we find might be a result of
auto-completion getting a little ahead of itself,” Pugh said. “In a number
of cases I suspect that is what happens.”
That’s not to say that the IDEs don’t have their place. Both NetBeans and
Eclipse have ongoing efforts for modules or plug-ins that help to improve
code quality and error detection.
“IDEs have a huge amount of value,” Pugh said. “I know programs with an IDE
and I would never go back to using a text editor. But I don’t think their
primary value has to do with finding the sort of defects that we find.”
Coders can submit their code for analysis by the JOR project at here.