Fortify Software, in conjunction with the FindBugs project, is
providing free code quality
scans and auditing for open source Java projects at the Java Open
Review web site:
http://opensource.fortifysoftware.com/ http://extra.fortifysoftware.com/blog/2006/12/
java_open_review_project.html
This service includes scans using both FindBugs and Fortify's Source
Code Analysis, which
looks for security bugs such as SQL injection and cross site
scripting. Both scans are filtered
to produce only the highest priority warnings (for FindBugs, only
medium and high priority
correctness warnings), although this can be modified on a per-project
basis.
Scan results are made available only to individuals authorized by the
project to review the
results. The web site shows the source lines associated with each
warning, so that the warning
can be viewed in context. In fact, you can pretty much navigate the
entire source tree, making
it a web-based (read-only) IDE. The web site also allows each warning
to be flagged as "should fix" or
"don't fix" and allows comments to be made on each warning, perhaps
explaining why something needs
to be fixed, why it doesn't need to be fixed, or who should be
responsible for fixing it.
Fortify will download updates from your source code repository on a
regular basis, rerun the analysis
(including any improvements made to the analysis), and update the web
site, retaining any flagging
or comments on the warnings made by contributors on the previous
analysis results. Thus, once something has
been flagged as "don't fix", it stays flagged as "don't fix".
For open source projects, particularly ones with many project members
that are geographically
distributed, this is _way_ better than running Findbugs, generating
an HTML report
and posting it on a web site for project members to view.
Are you interested? There is a link on the Java Open Review project
web page to submit a project.
We're also looking for some projects that would be brave and let us
make all of there results visible to
the entire world, so we can show off what FindBugs and Fortify's
static analysis can do. Is your project one
of those?
Bill Pugh
p.s. Fortify Software is the sponsor of the FindBugs project and
provides financial support crucial
to the FindBugs project.
_______________________________________________
Findbugs-announce mailing list
Findbugs-announce@...
http://mailman.cs.umd.edu/mailman/listinfo/findbugs-announce
