FindBugs Finds Fortify

With over 200,000 downloads to date, the open source FindBugs project is
already a reasonably popular Java bug-hunting tool, but it hasn’t found its way into
large enterprise deployments. Not yet anyway.

Thanks to a new sponsorship and bundling effort with Fortify Software, that may well be about to change.

The FindBugs project is run out of the University of Maryland by Professor
William Pugh. Pugh explained to that the general
idea behind FindBugs is to identify bug patterns in Java and to
identify the things the developers are doing wrong in their code.

Until recently, the FindBugs project had been a mostly academic effort. But last year, the Ph.D. student that was doing the development for the
FindBugs project as part of a grad thesis graduated.

Pugh was concerned about how to continue the project since there were likely few additional research paper possibilities from the project and, as such, unlikely that another student could pick up the work.

That’s where Fortify comes in. Fortify is now going to sponsor the project
as well as integrate FindBugs into its commercial product.

Fortify is
a commercial software developer with its own source code analysis framework
that looks for code vulnerabilities among other flaws. Barmak Meftah, vice president of engineering and operations at Fortify, explained that the FindBugs project is
a body of open source that is completely aligned with what Fortify does.

“Our main objective is really for the good of the software development
community out there,” Meftah said. “Here’s a piece of code that’s been widely
adopted; the install base is huge. Why not support and enhance it?”

is not contributing any source code or intellectual property to FindBugs.
Fortify’s enterprise user base is expected to be a ripe proving ground for
FindBugs that Pugh hopes will yield much feedback that will help the

Pugh noted that the Fortify sponsorship gives FindBugs the support it needs
to be a tool that continues to improve and be supported, as well as provides
the ability to get feedback from more industrial-strength users.

“The thing that was interesting to us is how many really stupid bugs exist
in production code,” Pugh said.

Pugh said a favorite of his errors that FindBugs has detected is a
particular method that, if it is ever invoked, will invoke itself again in
an infinite recursive loop.

“You find methods like this, — one-line methods that do nothing but call
themselves — and you wonder how this actually happened,” Pugh said. “In Sun’s
JDK we found five of them. JBoss, Websphere, Eclispse they all have numerous
examples of this particular bug.”

Fortify’s software will invoke FindBugs as a plug-in, which from a legal
point of view is possible, thanks to the LGPL (Lesser GNU
General Public License) where FindBugs is available.

LGPL allows
for commercial libraries to be linked against it, which is something that
isn’t always possible with the GPL .

“We definitely don’t want to go to GPL because I think that’s too limited
to people that might want to do various tings with it,” Pugh explained. “If
anything the discussion has been ‘Do we want to move to a looser open source

Pugh wants more commercial usage of FindBugs, and that’s where the GPL may
present a problem.

“There are all sorts of issues that I don’t entirely understand with the GPL
about what happens with plug-ins,” Pugh said. “Certainly we don’t want
people to think because they’re using the FindBugs plug-in that they have to
GPL-license their own code.

“We want to allow FindBugs to be used within
commercial code-sourced tools.”

FindBugs is expected to release its 1.0 version, in a week or so according
to Pugh. The 1.0 version will mark a significant milestone for the project.

“The main thing is that we have now moved beyond the stage where this is an
academic project,” Pugh said. “I think that with 1.0 we can now say that
this is something that is useful and has real support.”

News Around the Web