Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center

Java Coders Team to Bug-Hunt

Fortify, FindBug launch open-source project to share analysis and tools.

Robert McMillan, IDG News Service

Mon, 11 Dec 2006 14:00:00 GMT

Fortify Software and the FindBugs project have launched a free service that will scan open-source Java software for bugs in the code.

The Java Open Review project (JOR) lets open-source projects run audits of their source code using Fortify's source code analysis software and the University of Maryland's FindBugs tool.

New Java Tools

With developers focusing on more secure software development practices, the Java community needs more advanced bug-finding tools like JOR, said Barmak Meftah, vice president of product and services with Fortify. "Everybody understands that the cheapest and easiest point to find and fix security bugs is at the time of implementation," he said.

Open-source developers will now get the benefit of Fortify's Source Code Analysis software, which is already used by commercial vendors such as Oracle and Adobe Systems. But the free JOR analysis is not as detailed as one done by Fortify's commercial product.

Fortify Source Code Analysis can find more than 120 categories of software security problems, Meftah said. The JOR analysis will detail about 40 categories, covering "the most egregious types of security vulnerabilities and the types that developers tend to understand most readily," he said.

The details of the free source code analysis will be made available only to project contributors so that JOR cannot be used as a hacking tool, Meftah added.

Service Opens to All

JOR has been working with a handful of open-source projects over the past six weeks and has discovered hundreds of bugs in applications like Tomcat, Zimbra, and Java Pet Store. Starting today, the service is opened up to any Java open-source projects that want to use it, Meftah said.

Sun Microsystems already uses FindBugs for its GlassFish open-source application server software, said Geoff Halliwell, a manager of application server quality engineering with Sun.

Though Sun has no immediate plans to audit its application server code with JOR, Halliwell said he would "certainly look at it."

"In my business, we're always looking to improve," he said.

Explore Computing Center

About.com Special Features

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

How to Buy a BlackBerry

Sleek and trim or loaded with extras? Select the right smartphone for your lifestyle. More >

Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center
  4. Software/Services
  5. Software
  6. Java Coders Team to Bug-Hunt

©2009 About.com, a part of The New York Times Company.

All rights reserved.