« Rock Star | Main | The Problem is Complexity »

Java Open Review Project

We Launched the Java Open Review Project today. We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: FindBugs, and Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help!

So far we've received a warm welcome from the Java community:

Josh Bloch, Chief Java Architect at Google says:
"Regardless of how talented and meticulous a developer is, bugs and security vulnerabilities will be found in any body of code - open source or commercial. Given this inevitably, it's critical that all developers take the time and measures to find and fix these errors."

Geoff Halliwell, Manager, App Server Quality Engineering, Sun says:
"FindBugs has been a vital part of helping Sun's internal software development process and it is good to see that open source developers can now benefit as well."

Joe Jarzombek, Director for Software Assurance in the
National Cyber Security Division of the Department of Homeland Security (DHS) says:
"We view software reliability as a high priority for protecting our national interests. The Java Open Review Project is an important resource for the open source community. It promotes secure coding practices among software developers and benefits software security in general."

We couldn't ask for a better start.

Posted by Brian Chess on December 11, 2006 10:20 PM |

Comments (4)

Andrzej Bialecki:

First, let me say that this is a great initiative, most helpful!

I'm one of the committers in Nutch. I'd love to see the details of the report for Nutch, so that we can confirm the problems and fix them - is this information available?

Best regards,
Andrzej

Posted by Andrzej Bialecki | December 13, 2006 5:08 AM

Posted on December 13, 2006 05:08

Brian Chess:

Hi Andrzej, I'll set up an account for you now. Details should be in your inbox in a few minutes.

Brian

Posted by Brian Chess | December 14, 2006 9:47 PM

Posted on December 14, 2006 21:47

Mark Grennan:

This is a great project. I'd like to see the results on WebGoat. Will the scan find all the problems?

Posted by Mark Grennan | December 15, 2006 12:07 PM

Posted on December 15, 2006 12:07

Brian Chess:

You can look at the webgoat results by logging into the guest account:
usr: guest
passwd: guest1

I'd be surprised if we find all of the problems in WebGoat--the analysis settings we're using are tuned to produce a low rate of false positives, and that means we're going to miss some things.

Brian

Posted by Brian Chess | December 17, 2006 5:34 PM

Posted on December 17, 2006 17:34

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Presented By

House Rules

This blog is a place for discussion and feedback, both positive and negative. If you post here, you are agreeing to the following Participation Policy...more

Meet the Bloggers

Recent Posts

About

This page contains a single entry from the blog posted on December 11, 2006 10:20 PM.

The previous post in this blog was Rock Star.

The next post in this blog is The Problem is Complexity.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34