Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Open Review Project

Posted by ryuzaki0 on from the many-eyeballs dept.

bvc writes "We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: the open source tool FindBugs, and the commercial tool Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!"

30 of 50 comments (clear)

  1. Link to the Project... by StinkiePhish · · Score: 1, Informative

    http://opensource.fortifysoftware.com/welcome.html

  2. Wow by xenocide2 · · Score: 4, Funny

    You'd think someone asking for community participation would go to the effort of including a link to the community in question. Somehow, I think you'll get out of this request what you put into it.

    --
    I Browse at +4 Flamebait

    Open Source Sysadmin

  3. FYI by guitaristx · · Score: 2, Informative

    Link to the project's homepage

    --
    I pity the foo that isn't metasyntactic
  4. Why so broad? by kevin_conaway · · Score: 2, Interesting

    Why so many projects?

    Why not pick one or two and really run them through the wringer? Most of the heavily used projects like Tomcat have already been viewed by thousands of eyes so a cursory overview probably won't be worth the time

    Anyways, good luck

  5. Static analysis unnecessary! by Anonymous Coward · · Score: 1, Informative

    Static analysis becomes virtually unnecessary when you use a proper, statically-typed language like Haskell, Standard ML or OCaml. Furthermore, the use of garbage collection eliminates many of the buffer overruns that plague C and C++ software. Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

    While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded. Of course, that can easily be avoided by using an ArrayList, but there are programmers out there who are unaware of such basic helper classes.

    1. Re:Static analysis unnecessary! by Coryoth · · Score: 1
      Static analysis becomes virtually unnecessary when you use a proper, statically-typed language like Haskell, Standard ML or OCaml. Furthermore, the use of garbage collection eliminates many of the buffer overruns that plague C and C++ software. Add in proper unit testing, and you're almost guaranteed to have a rock-solid system, developed very economically and often with extremely clean code.

      As nice as that is it runs into the difficulty that there are already millions of lines of code in Java and rewriting them in ML or Haskell just isn't feasible. If you want a good intermediary position then using JML to specify the existing Java code and jmlunit and ESC/Java2 to do unit testing and static analysis based on the specification can get you a long way.
      --
      Craft Beer Programming T-shirts
    2. Re:Static analysis unnecessary! by AKAImBatman · · Score: 3, Informative
      While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded.

      You can't crash a Java App Server with just an ArrayIndexOutOfBoundsException. It will produce an error for that user, sure, but it won't propogate any farther than that. Read the specs sometime. The servlet container is responsible for trapping all exceptions thrown by the servlet, then dealing with them in an appropriate manner. Usually that means giving the user an HTTP 500 error.
      --
      Javascript + Nintendo DSi = DSiCade
    3. Re:Static analysis unnecessary! by EsbenMoseHansen · · Score: 2, Insightful
      Really, crash an app because somebody is using an array rather than an ArrayList? So you're telling me that the programmer not knowing the difference between something with a static (ungrowable) size and a dynamic (growable) size is a fault of the language?

      That is the argument you hear all the time. E.g, most buffer overflows in C is due to people using fixed arrays for variable length strings... which makes little sense.

      Today, it seems that "archiving goals by lowering expectations" is the norm among application developers... dumping down languages to avoid features that might burn developers.

      Happily, there are still quite a slew of languages which are not like that. Too bad that I still have to work in Java sometimes.

      --
      Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
    4. Re:Static analysis unnecessary! by HawkingMattress · · Score: 1

      Usually that means giving the user an HTTP 500 error

      Which, in webapp speak, is a crash... Yes it won't kill the server since the exception has been handled before that but if your index page dies with an HTTP 500 error it's exactly the same thing for the user : "Website doesn't work".

    5. Re:Static analysis unnecessary! by AKAImBatman · · Score: 1
      Which, in webapp speak, is a crash..

      No, it's an error. A crash would be if the server went down.

      it's exactly the same thing for the user : "Website doesn't work".

      Considering that the GPs point was that the user was trying to break it, I don't see what your complaint is. The server shrugs off the error and keeps chugging along.
      --
      Javascript + Nintendo DSi = DSiCade
    6. Re:Static analysis unnecessary! by PinkPanther · · Score: 1
      Today, it seems that "archiving [sic] goals by lowering expectations" is the norm among application developers... dumping down languages to avoid features that might burn developers.
      When you say "today", what are you comparing it to? When was the glorious time that software projects were simple enough, and well enough defined at the outset, that all targets were all met consistently and successfully?

      Have you been watching Lou Dobbs too much of late? The nature of the world is not significantly different today from "the good old days". Crime is not on a dramatic rise, immigration has been steady, corporations are just as money focused as always, politicians equally so.

      In the vast majority of software products, applications developers do not have the say when it comes to "lowering expectations". That is the role of the product manager. And even then, it is more often than not a miscalculation on the part of the product manager that causes features to slip (improperly defined features, changing timelines, scope creep, changing priorities, etc...).

      Languages are nothing but tools. The right tool for the right job. A language is not an excuse for bad software development practices. And Java, as a language, is a great tool for many, many jobs. It isn't used by people so they can "lower expectations", so that they can under-deliver, so that they can avoid responsibility...in fact, just the opposite.

      --
      It's a simple matter of complex programming.
    7. Re:Static analysis unnecessary! by Decaff · · Score: 1

      The JVM isn't written in Java.

      Which one? There is not just one JVM. There are JVMs that ARE written in Java, such as this http://joeq.sourceforge.net/

      However, there is a good reason why most JVMs aren't written in Java - the highest performance Java implementations use run-time optimisations from within a JVM. So you would need a JVM to run the Java which would implement the JVM - which is recursive. You need to bootstrap things somehow.

    8. Re:Static analysis unnecessary! by Raenex · · Score: 1

      Seems like JML & friends still don't support Java 1.5 yet, and now 1.6 is out. I've seen you mention this quite some time ago, but I write all my code in 1.5. Do you know if they are they working on 1.5?

    9. Re:Static analysis unnecessary! by Raenex · · Score: 1
      Have you been watching Lou Dobbs too much of late?

      Ha ha, that guy is so annoying :) Damn kids today!

    10. Re:Static analysis unnecessary! by Coryoth · · Score: 1

      Support for a.5 is in the works apparently, though it is the next major version of ESC/Java that will have it, so I don't know how soon that will come out. It is, at the least, in the works.

      --
      Craft Beer Programming T-shirts
    11. Re:Static analysis unnecessary! by EsbenMoseHansen · · Score: 1

      I wasn't referring to projects, but to languages. You seem to have misunderstood me there. I disagree that Java is a *great* tool for many jobs, although it might be an adequate in many. The greatest advantage of Java is the bandwagon effect... as long as you choose Java, you can dodge responsibility for choosing the wrong language for the job, and also, it is easy to find mediocre programmers that can do some Java.

      And sorry about misspelling "achievements". I will try to be more careful, even if it is a second language to me.

      --
      Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
  6. Re:Umm... automated tools make it possible. by cloricus · · Score: 1

    Agreed. May as well just do it in one big hit instead of piece by piece. That way you will have one big mob that will target everything instead of a few dedicated people watching the programs that concern them?

    --
    I ate your fish.
  7. Re:You know nothing about static analysis. by heinousjay · · Score: 1

    And the obvious superiority you've conveyed with your tone is reflected quite nicely in the fact that so few people actually know of (never mind know) any of those languages.

    I guess it's tough being extra-right all the time and still being ignored. Sorry.

    --
    Slashdot - where whining about luck is the new way to make the world you want.
  8. Rediculous assertion by SuperKendall · · Score: 1

    If a langauge will not let you commit security vilolations through design, then I can say with surity that language is not usable.

    Note I am NOT saying Haskell is unusable. What I am saying is that in all the languages you list, it is still possible to create code that by design will be insecure. Any time you take input from a user, and place that input into a database for example, you have an avenue for attack.

    As for the suggestion to use an ArrayList instead of basic arrays in Java, it makes me sudder to think of you designing any web systems that may be touched by a high volume of traffic. No wonder you posted AC with such "helpful" advice!

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Rediculous assertion by MythMoth · · Score: 1

      As for the suggestion to use an ArrayList instead of basic arrays in Java, it makes me sudder to think of you designing any web systems that may be touched by a high volume of traffic

      Then it makes me shudder to think of the design atrocities you're going to commit if by default you use arrays. Use arrays (maybe) if and only if you have established that they are required to solve a proven performance problem. Using them on the offchance that they'll be needed is the height of premature optimisation folly.

      --
      --- These are not words: wierd, genious, rediculous
  9. Re:Java sucks by blu3+b0y · · Score: 1

    Like +C+?

    Thanks for demonstrating that even open-minded coders like yourself still need a good QA team, even if it's just to fix the little language typos...

  10. Re:Java sucks by Coppertone · · Score: 1

    I thought your "real language" is a rip-off of Java. Sounds like you should learn the *original* real language....

  11. Re:Java sucks by JavaIsGreat · · Score: 1

    Real language like what C/C++ Grow up man, try to write an ENTERPRISE SYSTEM without a thick client server model using C/C++. Let me know once done.

  12. Re:Java by DuckDodgers · · Score: 1

    I'm not a big fan of Java, but to be fair:
    Unless you prefer an language in which you can be more productive
    Most of the slow development and painful complexity of Java has more to do with complex configuration of the popular application frameworks than the language itself. Our in-house Tomcat/Struts/Hibernate/XDoclet application has nearly 40 different XML configuration files. Java doesn't need any of those XML files beyond the single build file for the Ant build tool.

  13. Re:Java sucks by AuMatar · · Score: 1

    DOne. Several times over. I wouldn't write anything more complex than Hello World in Java, it just doesn't have the performance.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  14. Re:Tomcat? Are you insane? by Raenex · · Score: 1
    http://jroller.com/page/fate?entry=why_i_hate_tomc at

    When I go to that page the sidebar overlaps the text of the article. It kinda puts me off that a rant about "good code" is hosted on a page with terrible web design.

  15. Re:You know nothing about static analysis. by Raenex · · Score: 1

    I really hate responding to shadows, but here goes:

    The only reason such tools are deemed necessary for Java, C and C++ apps is because those languages just aren't as suited for static analysis as most functional languages.

    There's a list of warnings that FindBugs outputs. If you want to claim that static analysis is unnecessary for Haskell or OCaml, then go over the list and say why. It's not enough to just claim by fiat that your favorite language doesn't have that problem and then tell "Blub" to go master it.

  16. Re:Java sucks by JavaIsGreat · · Score: 1

    An enterprise software with a thin client in c/c++!!!!!!!!!!!! Hats off to you. I love programming and started as c guy but I have no more patience for the reinvention of wheel several times. I like to solve business problems using code

  17. Where is teh link? by bismark.a · · Score: 1

    Whoever the heck is kdawson, he certainly does not sound like he is from the many-eyeballs dept.

  18. Re:You know nothing about static analysis. by Raenex · · Score: 1
    You obviously know nothing about OCaml, Haskell, or Standard ML.

    I've looked into Haskell before. Just scratched the surface, really, but definitely more than "know nothing".

    If you did, you'd see immediately how they either take care of all those problems at compile time, or it's completely impossible for them to even be affected.

    Bold statements like this are bullshit. Any language can benefit from static analysis. How can you seriously claim otherwise? Obviously a language like C would benefit more than Java, and Java would benefit more than Haskell, but no language checks for every possible problem at compile time.

    Here's a counter-example to your claims: Catch - Case Totality Checker for Haskell: "A Haskell program may fail at runtime with a pattern-match error if the program has any incomplete (non-exhaustive) patterns in definitions or case alternatives. This paper describes a static checker that allows non-exhaustive patterns to exist, yet ensures that a pattern-match error does not occur."