Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Open Review Project

Posted by ryuzaki0 on from the many-eyeballs dept.

bvc writes "We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: the open source tool FindBugs, and the commercial tool Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!"

5 of 50 comments (clear)

  1. Wow by xenocide2 · · Score: 4, Funny

    You'd think someone asking for community participation would go to the effort of including a link to the community in question. Somehow, I think you'll get out of this request what you put into it.

    --
    I Browse at +4 Flamebait

    Open Source Sysadmin

  2. FYI by guitaristx · · Score: 2, Informative

    Link to the project's homepage

    --
    I pity the foo that isn't metasyntactic
  3. Why so broad? by kevin_conaway · · Score: 2, Interesting

    Why so many projects?

    Why not pick one or two and really run them through the wringer? Most of the heavily used projects like Tomcat have already been viewed by thousands of eyes so a cursory overview probably won't be worth the time

    Anyways, good luck

  4. Re:Static analysis unnecessary! by AKAImBatman · · Score: 3, Informative
    While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a major web site) by sending data in such a way that an array's capacity is exceeded.

    You can't crash a Java App Server with just an ArrayIndexOutOfBoundsException. It will produce an error for that user, sure, but it won't propogate any farther than that. Read the specs sometime. The servlet container is responsible for trapping all exceptions thrown by the servlet, then dealing with them in an appropriate manner. Usually that means giving the user an HTTP 500 error.
    --
    Javascript + Nintendo DSi = DSiCade
  5. Re:Static analysis unnecessary! by EsbenMoseHansen · · Score: 2, Insightful
    Really, crash an app because somebody is using an array rather than an ArrayList? So you're telling me that the programmer not knowing the difference between something with a static (ungrowable) size and a dynamic (growable) size is a fault of the language?

    That is the argument you hear all the time. E.g, most buffer overflows in C is due to people using fixed arrays for variable length strings... which makes little sense.

    Today, it seems that "archiving goals by lowering expectations" is the norm among application developers... dumping down languages to avoid features that might burn developers.

    Happily, there are still quite a slew of languages which are not like that. Too bad that I still have to work in Java sometimes.

    --
    Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.