Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Open Review Project

Posted by ryuzaki0 on from the many-eyeballs dept.

bvc writes "We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: the open source tool FindBugs, and the commercial tool Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!"

50 comments

  1. Java by Anonymous Coward · · Score: 0

    Why Java, specifically?

    1. Re:Java by Anonymous Coward · · Score: 0

      "well, java being a overbloated piece of shit of course."

      No. The reason is because people don't want to learn a new language apart from what they were taught in school. Why change when they already know what works?

    2. Re:Java by Anonymous Coward · · Score: 0

      Why indeed? Java is all anyone needs to know.

    3. Re:Java by Anonymous Coward · · Score: 0

      Unless you prefer an language in which you can be more productive

      Unless your team has chosen a language other than Java

      Unless you want to write systems software

      Unless you want good memory performance

      ...

    4. Re:Java by DuckDodgers · · Score: 1

      I'm not a big fan of Java, but to be fair:
      Unless you prefer an language in which you can be more productive
      Most of the slow development and painful complexity of Java has more to do with complex configuration of the popular application frameworks than the language itself. Our in-house Tomcat/Struts/Hibernate/XDoclet application has nearly 40 different XML configuration files. Java doesn't need any of those XML files beyond the single build file for the Ant build tool.

    5. Re:Java by usidoesit · · Score: 0

      If java syntax actually *did* something useful, then perhaps your argument that it's not Java's fault would be valid. It is Java's fault. Java is useless. Java is worse than useless in that it's also a hazard. So you can't just leave it there and give it nothing to do, because it's offensive to the productive languages in the vicinity.

    6. Re:Java by Anonymous Coward · · Score: 0

      That is of course, until you realise that e-Bay is a J2EE based app, and has on average 30,000 lines of code changes/additions a week made WITHOUT a hitch.

      There is a reason that Java is the most commonly used language in the world now buddy. Come back when you're in the real world working on actual enterprise-size projects and then we can talk.

  2. Link to the Project... by StinkiePhish · · Score: 1, Informative

    http://opensource.fortifysoftware.com/welcome.html

  3. Wow by xenocide2 · · Score: 4, Funny

    You'd think someone asking for community participation would go to the effort of including a link to the community in question. Somehow, I think you'll get out of this request what you put into it.

    --
    I Browse at +4 Flamebait

    Open Source Sysadmin

  4. Love to, but... by Anonymous Coward · · Score: 0

    where is teh clicky??

  5. FYI by guitaristx · · Score: 2, Informative

    Link to the project's homepage

    --
    I pity the foo that isn't metasyntactic
  6. Why so broad? by kevin_conaway · · Score: 2, Interesting

    Why so many projects?

    Why not pick one or two and really run them through the wringer? Most of the heavily used projects like Tomcat have already been viewed by thousands of eyes so a cursory overview probably won't be worth the time

    Anyways, good luck

  7. Static analysis unnecessary! by Anonymous Coward · · Score: 1, Informative

    Static analysis becomes virtually unnecessary when you use a proper, statically-typed language like Haskell, Standard ML or OCaml. Furthermore, the use of garbage collection eliminates many of the buffer overruns that plague C and C++ software. Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

    While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded. Of course, that can easily be avoided by using an ArrayList, but there are programmers out there who are unaware of such basic helper classes.

    1. Re:Static analysis unnecessary! by Coryoth · · Score: 1
      Static analysis becomes virtually unnecessary when you use a proper, statically-typed language like Haskell, Standard ML or OCaml. Furthermore, the use of garbage collection eliminates many of the buffer overruns that plague C and C++ software. Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

      As nice as that is it runs into the difficulty that there are already millions of lines of code in Java and rewriting them in ML or Haskell just isn't feasible. If you want a good intermediary position then using JML to specify the existing Java code and jmlunit and ESC/Java2 to do unit testing and static analysis based on the specification can get you a long way.
      --
      Craft Beer Programming T-shirts
    2. Re:Static analysis unnecessary! by Anonymous Coward · · Score: 0
      This just in -- shitty programmers can make shitty apps in any language, including Haskell or OCaml.
      While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded. Of course, that can easily be avoided by using an ArrayList, but there are programmers out there who are unaware of such basic helper classes.
      Really, crash an app because somebody is using an array rather than an ArrayList? So you're telling me that the programmer not knowing the difference between something with a static (ungrowable) size and a dynamic (growable) size is a fault of the language?

      You still can't overwrite the end of a Java array to cause a buffer overrun or something (if that's what you mean), because Java stores the length of the array internally and throws an ArrayIndexOutOfBounds exception if you try to go past it.
    3. Re:Static analysis unnecessary! by Anonymous Coward · · Score: 0

      Capacity can always be exceeded; Memory is finite.

    4. Re:Static analysis unnecessary! by AKAImBatman · · Score: 3, Informative
      While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded.

      You can't crash a Java App Server with just an ArrayIndexOutOfBoundsException. It will produce an error for that user, sure, but it won't propogate any farther than that. Read the specs sometime. The servlet container is responsible for trapping all exceptions thrown by the servlet, then dealing with them in an appropriate manner. Usually that means giving the user an HTTP 500 error.
      --
      Javascript + Nintendo DSi = DSiCade
    5. Re:Static analysis unnecessary! by Anonymous Coward · · Score: 0

      The JVM isn't written in Java.

    6. Re:Static analysis unnecessary! by EsbenMoseHansen · · Score: 2, Insightful
      Really, crash an app because somebody is using an array rather than an ArrayList? So you're telling me that the programmer not knowing the difference between something with a static (ungrowable) size and a dynamic (growable) size is a fault of the language?

      That is the argument you hear all the time. E.g, most buffer overflows in C is due to people using fixed arrays for variable length strings... which makes little sense.

      Today, it seems that "archiving goals by lowering expectations" is the norm among application developers... dumping down languages to avoid features that might burn developers.

      Happily, there are still quite a slew of languages which are not like that. Too bad that I still have to work in Java sometimes.

      --
      Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
    7. Re:Static analysis unnecessary! by HawkingMattress · · Score: 1

      Usually that means giving the user an HTTP 500 error

      Which, in webapp speak, is a crash... Yes it won't kill the server since the exception has been handled before that but if your index page dies with an HTTP 500 error it's exactly the same thing for the user : "Website doesn't work".

    8. Re:Static analysis unnecessary! by AKAImBatman · · Score: 1
      Which, in webapp speak, is a crash..

      No, it's an error. A crash would be if the server went down.

      it's exactly the same thing for the user : "Website doesn't work".

      Considering that the GPs point was that the user was trying to break it, I don't see what your complaint is. The server shrugs off the error and keeps chugging along.
      --
      Javascript + Nintendo DSi = DSiCade
    9. Re:Static analysis unnecessary! by PinkPanther · · Score: 1
      Today, it seems that "archiving [sic] goals by lowering expectations" is the norm among application developers... dumping down languages to avoid features that might burn developers.
      When you say "today", what are you comparing it to? When was the glorious time that software projects were simple enough, and well enough defined at the outset, that all targets were all met consistently and successfully?

      Have you been watching Lou Dobbs too much of late? The nature of the world is not significantly different today from "the good old days". Crime is not on a dramatic rise, immigration has been steady, corporations are just as money focused as always, politicians equally so.

      In the vast majority of software products, applications developers do not have the say when it comes to "lowering expectations". That is the role of the product manager. And even then, it is more often than not a miscalculation on the part of the product manager that causes features to slip (improperly defined features, changing timelines, scope creep, changing priorities, etc...).

      Languages are nothing but tools. The right tool for the right job. A language is not an excuse for bad software development practices. And Java, as a language, is a great tool for many, many jobs. It isn't used by people so they can "lower expectations", so that they can under-deliver, so that they can avoid responsibility...in fact, just the opposite.

      --
      It's a simple matter of complex programming.
    10. Re:Static analysis unnecessary! by Decaff · · Score: 1

      The JVM isn't written in Java.

      Which one? There is not just one JVM. There are JVMs that ARE written in Java, such as this http://joeq.sourceforge.net/

      However, there is a good reason why most JVMs aren't written in Java - the highest performance Java implementations use run-time optimisations from within a JVM. So you would need a JVM to run the Java which would implement the JVM - which is recursive. You need to bootstrap things somehow.

    11. Re:Static analysis unnecessary! by Raenex · · Score: 1

      Seems like JML & friends still don't support Java 1.5 yet, and now 1.6 is out. I've seen you mention this quite some time ago, but I write all my code in 1.5. Do you know if they are they working on 1.5?

    12. Re:Static analysis unnecessary! by Raenex · · Score: 1
      Have you been watching Lou Dobbs too much of late?

      Ha ha, that guy is so annoying :) Damn kids today!

    13. Re:Static analysis unnecessary! by Coryoth · · Score: 1

      Support for a.5 is in the works apparently, though it is the next major version of ESC/Java that will have it, so I don't know how soon that will come out. It is, at the least, in the works.

      --
      Craft Beer Programming T-shirts
    14. Re:Static analysis unnecessary! by EsbenMoseHansen · · Score: 1

      I wasn't referring to projects, but to languages. You seem to have misunderstood me there. I disagree that Java is a *great* tool for many jobs, although it might be an adequate in many. The greatest advantage of Java is the bandwagon effect... as long as you choose Java, you can dodge responsibility for choosing the wrong language for the job, and also, it is easy to find mediocre programmers that can do some Java.

      And sorry about misspelling "achievements". I will try to be more careful, even if it is a second language to me.

      --
      Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
  8. Umm... automated tools make it possible. by Anonymous Coward · · Score: 0

    You realize that they're using static code analysis software, right? Such automation makes it very quick and easy to statically analyze even a complex program.

    It's well worth spending even a few hours to statically analyze a piece of software using such tools. Even for very well-coded and heavily used software, these tools will find issues that should often be dealt with. You'll get a few false positives here and there. But overall, the alerts raised will often point one to code that does need to be fixed in some way, or can otherwise be improved. The code may even appear fine via visual inspection, but in certain circumstances it could lead to a crash, or a security breach.

    1. Re:Umm... automated tools make it possible. by cloricus · · Score: 1

      Agreed. May as well just do it in one big hit instead of piece by piece. That way you will have one big mob that will target everything instead of a few dedicated people watching the programs that concern them?

      --
      I ate your fish.
    2. Re:Umm... automated tools make it possible. by Anonymous Coward · · Score: 0

      You obviously have no idea how these tools work, or how they can be used by open source projects.

      First of all, yes, it is best to use these tools on as many open source projects as is possible. Each project gets a report about what problems have been found. Then it's up to each team to compare the report with the actual code. Problems that are serious are dealt with by the developers themselves, the same developers who normally develop the project's architecture and write the code.

      Since most open source projects have a rather tight-knit group of developers, giving them such a report is no different than filing a normal bug report. Chances are one of the main developers will be the one dealing with the issues, so it's not like you're taking fixes from just anyone. And beyond that, most larger projects already have schemes in place that severely inspect any third-party code contributions.

      In the end, you end up with all of the open source projects improving concurrently. Since it's easily feasible and completely possible for that to happen, it's the best thing to do.

  9. Crackhead -- oops, I mean non-programmer by Anonymous Coward · · Score: 0

    Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

    A statically typed language + unit testing doesn't even come close to guaranteeing a rock-solid system. I'm not real familiar with the compilers of Haskell, ML and OCaml, but I doubt they would do the same amount of static analysis as something like FindBugs. Some for sure, but not all.

    And, BTW, when Java people do not use ArrayList, its because they think that can do it better, or they can really do it better, not because they are unaware of the existance of the class.

  10. You know nothing about static analysis. by Anonymous Coward · · Score: 0

    A statically typed language + unit testing doesn't even come close to guaranteeing a rock-solid system. I'm not real familiar with the compilers of Haskell, ML and OCaml, but I doubt they would do the same amount of static analysis as something like FindBugs.

    It is quite clear you're clueless when it comes to Haskell, Standard ML and OCaml. If you did know anything about them or their implementations, you'd know that the amount of static analysis they do is more than comparable to that of many of the commercial static code analysis tools.

    The only reason such tools are deemed necessary for Java, C and C++ apps is because those languages just aren't as suited for static analysis as most functional languages. The very act of compiling a Haskell or Standard ML program involves the static analysis that such tools do. When you're dealing with strong, static typing and automatic type inference, you're already performing the vast majority of what the C, C++ and Java static analysis tools do.

    Come back once you've used, let alone mastered, one of Haskell, OCaml or Standard ML. Once you have even a basic understanding of the techniques the compilers for such languages use, then you'll see how blatantly wrong you are in your post.

    1. Re:You know nothing about static analysis. by heinousjay · · Score: 1

      And the obvious superiority you've conveyed with your tone is reflected quite nicely in the fact that so few people actually know of (never mind know) any of those languages.

      I guess it's tough being extra-right all the time and still being ignored. Sorry.

      --
      Slashdot - where whining about luck is the new way to make the world you want.
    2. Re:You know nothing about static analysis. by Raenex · · Score: 1

      I really hate responding to shadows, but here goes:

      The only reason such tools are deemed necessary for Java, C and C++ apps is because those languages just aren't as suited for static analysis as most functional languages.

      There's a list of warnings that FindBugs outputs. If you want to claim that static analysis is unnecessary for Haskell or OCaml, then go over the list and say why. It's not enough to just claim by fiat that your favorite language doesn't have that problem and then tell "Blub" to go master it.

    3. Re:You know nothing about static analysis. by Anonymous Coward · · Score: 0

      Many of those can't even be applied to Haskell and OCaml, because the designers of those languages weren't stupid enough to add "features" that would allow for such mistakes. The ones relating to jar files are a good example. The very nature of the OCaml module system would catch all such problems at compile time. The same goes for many of the object-oriented problems that are listed. The typing and class system of OCaml would outright catch such problems at compile time, and report an error to the user. Many of the framework-related issues wouldn't even arise in the OCaml or Haskell world, because framework developers wouldn't be allowed to make such design mistakes due to the semantics of the languages themselves.

      You obviously know nothing about OCaml, Haskell, or Standard ML. If you did, you'd see immediately how they either take care of all those problems at compile time, or it's completely impossible for them to even be affected. Even a college student who has studied one of those languages for a mere semester would be able to see for themselves how unnecessary the use of separate static analysis tools would be. The very nature of the languages and compilers deals with all such problems automatically.

    4. Re:You know nothing about static analysis. by Raenex · · Score: 1
      You obviously know nothing about OCaml, Haskell, or Standard ML.

      I've looked into Haskell before. Just scratched the surface, really, but definitely more than "know nothing".

      If you did, you'd see immediately how they either take care of all those problems at compile time, or it's completely impossible for them to even be affected.

      Bold statements like this are bullshit. Any language can benefit from static analysis. How can you seriously claim otherwise? Obviously a language like C would benefit more than Java, and Java would benefit more than Haskell, but no language checks for every possible problem at compile time.

      Here's a counter-example to your claims: Catch - Case Totality Checker for Haskell: "A Haskell program may fail at runtime with a pattern-match error if the program has any incomplete (non-exhaustive) patterns in definitions or case alternatives. This paper describes a static checker that allows non-exhaustive patterns to exist, yet ensures that a pattern-match error does not occur."

  11. Re:Java sucks by AuMatar · · Score: 0, Flamebait

    I'm sorry, I thought you wanted them to learn a real langugae.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  12. Rediculous assertion by SuperKendall · · Score: 1

    If a langauge will not let you commit security vilolations through design, then I can say with surity that language is not usable.

    Note I am NOT saying Haskell is unusable. What I am saying is that in all the languages you list, it is still possible to create code that by design will be insecure. Any time you take input from a user, and place that input into a database for example, you have an avenue for attack.

    As for the suggestion to use an ArrayList instead of basic arrays in Java, it makes me sudder to think of you designing any web systems that may be touched by a high volume of traffic. No wonder you posted AC with such "helpful" advice!

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Rediculous assertion by MythMoth · · Score: 1

      As for the suggestion to use an ArrayList instead of basic arrays in Java, it makes me sudder to think of you designing any web systems that may be touched by a high volume of traffic

      Then it makes me shudder to think of the design atrocities you're going to commit if by default you use arrays. Use arrays (maybe) if and only if you have established that they are required to solve a proven performance problem. Using them on the offchance that they'll be needed is the height of premature optimisation folly.

      --
      --- These are not words: wierd, genious, rediculous
  13. Tomcat? Are you insane? by Anonymous Coward · · Score: 0

    Some of the Tomcat code is used by instructors as "how not to program". Tomcat works (I use it in production), but it isn't pretty, nice or elegant code:

    http://jroller.com/page/fate?entry=why_i_hate_tomc at

  14. Re:Java sucks by blu3+b0y · · Score: 1

    Like +C+?

    Thanks for demonstrating that even open-minded coders like yourself still need a good QA team, even if it's just to fix the little language typos...

  15. Re:Java sucks by Coppertone · · Score: 1

    I thought your "real language" is a rip-off of Java. Sounds like you should learn the *original* real language....

  16. You just said the same thing I said by Anonymous Coward · · Score: 0

    When you're dealing with strong, static typing and automatic type inference, you're already performing the vast majority of what the C, C++ and Java static analysis tools do.

    Vast majority means most, but not all. Thats exactly what I said.

    Still, how does that and unit testing guarantee a rock-solid system?

  17. Re:Java sucks by JavaIsGreat · · Score: 1

    Real language like what C/C++ Grow up man, try to write an ENTERPRISE SYSTEM without a thick client server model using C/C++. Let me know once done.

  18. Re:Java sucks by AuMatar · · Score: 1

    DOne. Several times over. I wouldn't write anything more complex than Hello World in Java, it just doesn't have the performance.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  19. Re:Tomcat? Are you insane? by Raenex · · Score: 1
    http://jroller.com/page/fate?entry=why_i_hate_tomc at

    When I go to that page the sidebar overlaps the text of the article. It kinda puts me off that a rant about "good code" is hosted on a page with terrible web design.

  20. Re:Java sucks by JavaIsGreat · · Score: 1

    An enterprise software with a thin client in c/c++!!!!!!!!!!!! Hats off to you. I love programming and started as c guy but I have no more patience for the reinvention of wheel several times. I like to solve business problems using code

  21. Where is teh link? by bismark.a · · Score: 1

    Whoever the heck is kdawson, he certainly does not sound like he is from the many-eyeballs dept.