Java Open Review Project 50
bvc writes "We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: the open source tool FindBugs, and the commercial tool Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!"
Re: (Score:2)
Unless you prefer an language in which you can be more productive
Most of the slow development and painful complexity of Java has more to do with complex configuration of the popular application frameworks than the language itself. Our in-house Tomcat/Struts/Hibernate/XDoclet application has nearly 40 different XML configuration files. Java doesn't need any of those XML files beyond the single build file for the Ant build tool.
Link to the Project... (Score:1, Informative)
Wow (Score:5, Funny)
FYI (Score:3, Informative)
Why so broad? (Score:3, Interesting)
Why so many projects?
Why not pick one or two and really run them through the wringer? Most of the heavily used projects like Tomcat have already been viewed by thousands of eyes so a cursory overview probably won't be worth the time
Anyways, good luck
Re: (Score:2)
Re: (Score:1)
When I go to that page the sidebar overlaps the text of the article. It kinda puts me off that a rant about "good code" is hosted on a page with terrible web design.
Static analysis unnecessary! (Score:1, Informative)
While Java is more difficult to exploit, it is still possible to crash an app (say, a servlet container running a maj
Re: (Score:2)
As nice as that is it runs into the difficulty that there are already millions of lines of code in Java and rewriting
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Insightful)
That is the argument you hear all the time. E.g, most buffer overflows in C is due to people using fixed arrays for variable length strings... which makes little sense.
Today, it seems that "archiving goals by lowering expectations" is the norm among
Re: (Score:1)
When you say "today", what are you comparing it to? When was the glorious time that software projects were simple enough, and well enough defined at the outset, that all targets were all met consistently and successfully?
Have you been watching Lou Dobbs too much of late? The nature of the world is not significantly diffe
Re: (Score:1)
Ha ha, that guy is so annoying :) Damn kids today!
Re: (Score:2)
I wasn't referring to projects, but to languages. You seem to have misunderstood me there. I disagree that Java is a *great* tool for many jobs, although it might be an adequate in many. The greatest advantage of Java is the bandwagon effect... as long as you choose Java, you can dodge responsibility for choosing the wrong language for the job, and also, it is easy to find mediocre programmers that can do some Java.
And sorry about misspelling "achievements". I will try to be more careful, even if it is a s
Re:Static analysis unnecessary! (Score:4, Informative)
You can't crash a Java App Server with just an ArrayIndexOutOfBoundsException. It will produce an error for that user, sure, but it won't propogate any farther than that. Read the specs sometime. The servlet container is responsible for trapping all exceptions thrown by the servlet, then dealing with them in an appropriate manner. Usually that means giving the user an HTTP 500 error.
Re: (Score:2)
Which, in webapp speak, is a crash... Yes it won't kill the server since the exception has been handled before that but if your index page dies with an HTTP 500 error it's exactly the same thing for the user : "Website doesn't work".
Re: (Score:2)
No, it's an error. A crash would be if the server went down.
Considering that the GPs point was that the user was trying to break it, I don't see what your complaint is. The server shrugs off the error and keeps chugging along.
Re: (Score:1)
I guess it's tough being extra-right all the time and still being ignored. Sorry.
Re: (Score:1)
I really hate responding to shadows, but here goes:
There's a list of warnings [sourceforge.net] that FindBugs outputs. If you want to claim that static analysis is unnecessary for Haskell or OCaml, then go over the list and say why. It's not enough to just claim by fiat that your favorite language doesn't have that problem and then tell "Blub" to
Re: (Score:1)
I've looked into Haskell before. Just scratched the surface, really, but definitely more than "know nothing".
Bold statements like this are bullshit. Any language can benefit from static analysis. How can you seriously claim otherwise? Obviously a language like C would benef
Re: (Score:2)
Which one? There is not just one JVM. There are JVMs that ARE written in Java, such as this http://joeq.sourceforge.net/ [sourceforge.net]
However, there is a good reason why most JVMs aren't written in Java - the highest performance Java implementations use run-time optimisations from within a JVM. So you would need a JVM to run the Java which would implement the JVM - which is recursive. You need to bootstrap things somehow.
Rediculous assertion (Score:2)
Note I am NOT saying Haskell is unusable. What I am saying is that in all the languages you list, it is still possible to create code that by design will be insecure. Any time you take input from a user, and place that input into a database for example, you have an avenue for attack.
As for the suggestion to use an ArrayList instead of basic arrays in Java, it makes me sudder to
Re: (Score:2)
Then it makes me shudder to think of the design atrocities you're going to commit if by default you use arrays. Use arrays (maybe) if and only if you have established that they are required to solve a proven performance problem. Using them on the offchance that they'll be needed is the height of premature optimisation folly.
Re: (Score:1, Flamebait)
Re: (Score:1)
Like +C+?
Thanks for demonstrating that even open-minded coders like yourself still need a good QA team, even if it's just to fix the little language typos...
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Where is teh link? (Score:1)