Java Open Review Project
We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: FindBugs, and Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!
So far we've received a warm welcome from the Java community:
Josh Bloch, Chief Java Architect at Google says:
"Regardless of how talented and meticulous a developer is, bugs and security vulnerabilities will be found in any body of code - open source or commercial. Given this inevitably, it's critical that all developers take the time and measures to find and fix these errors."
Geoff Halliwell, Manager, App Server Quality Engineering, Sun says:
"FindBugs has been a vital part of helping Sun's internal software development process and it is good to see that open source developers can now benefit as well."
Joe Jarzombek, Director for Software Assurance in the
National Cyber Security Division of the Department of Homeland Security (DHS) says:
"We view software reliability as a high priority for protecting our national interests. The Java Open Review Project is an important resource for the open source community. It promotes secure coding practices among software developers and benefits software security in general."
We couldn't ask for a better start.
