Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Open Review Project

Posted by ryuzaki0 on from the many-eyeballs dept.

bvc writes "We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: the open source tool FindBugs, and the commercial tool Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!"

4 of 50 comments (clear)

  1. Link to the Project... by StinkiePhish · · Score: 1, Informative

    http://opensource.fortifysoftware.com/welcome.html

  2. FYI by guitaristx · · Score: 2, Informative

    Link to the project's homepage

    --
    I pity the foo that isn't metasyntactic
  3. Static analysis unnecessary! by Anonymous Coward · · Score: 1, Informative

    Static analysis becomes virtually unnecessary when you use a proper, statically-typed language like Haskell, Standard ML or OCaml. Furthermore, the use of garbage collection eliminates many of the buffer overruns that plague C and C++ software. Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

    While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded. Of course, that can easily be avoided by using an ArrayList, but there are programmers out there who are unaware of such basic helper classes.

    1. Re:Static analysis unnecessary! by AKAImBatman · · Score: 3, Informative
      While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded.

      You can't crash a Java App Server with just an ArrayIndexOutOfBoundsException. It will produce an error for that user, sure, but it won't propogate any farther than that. Read the specs sometime. The servlet container is responsible for trapping all exceptions thrown by the servlet, then dealing with them in an appropriate manner. Usually that means giving the user an HTTP 500 error.
      --
      Javascript + Nintendo DSi = DSiCade