Fortify Software, in conjunction with the FindBugs project, is
providing free code quality
scans and auditing for open source Java projects at the Java Open
Review web site:
http://opensource.fortifysoftware.com/
http://extra.fortifysoftware.com/blog/2006/12/
java_open_review_project.html
This service includes scans using both FindBugs and Fortify's Source
Code Analysis, which
looks for security bugs such as SQL injection and cross site
scripting. Both scans are filtered
to produce only the highest priority warnings (for FindBugs, only
medium and high priority
correctness warnings), although this can be modified on a per-project
basis.
Scan results are made available only to individuals authorized by the
project to review the
results. The web site shows the source lines associated with each
warning, so that the warning
can be viewed in context. In fact, you can pretty much navigate the
entire source tree, making
it a web-based (read-only) IDE. The web site also allows each warning
to be flagged as "should fix" or
"don't fix" and allows comments to be made on each warning, perhaps
explaining why something needs
to be fixed, why it doesn't need to be fixed, or who should be
responsible for fixing it.
Fortify will download updates from your source code repository on a
regular basis, rerun the analysis
(including any improvements made to the analysis), and update the web
site, retaining any flagging
or comments on the warnings made by contributors on the previous
analysis results. Thus, once something has
been flagged as "don't fix", it stays flagged as "don't fix".
For open source projects, particularly ones with many project members
that are geographically
distributed, this is _way_ better than running Findbugs, generating
an HTML report
and posting it on a web site for project members to view.
Brian Chess, chief scientist at Fortify Software, and I would both
very much like to have
the Glassfish project be part of the Java Open Review project.
Are you interested? There is a like on the Java Open Review project
web page to submit a project,
but you can just email Brian and me directly. We'll need a contact
person on the glassfish project
to figure out who is allowed to see results, with whom to discuss
which build we should be scanning
(presumably, v2 head), and to resolve any issues that come up in
trying to set up the automated update,
build and scan process.
We're also looking for some projects that would be brave and let us
make all of there results visible to
the entire world, so we can show off what FindBugs and Fortify's
static analysis can do. Is the glassfish
projects one of those?
Bill Pugh