FindBugs part of Java Open Review effort

Fortify Software, in conjunction with the FindBugs project, is providing free code quality scans and auditing for open source Java projects at the Java Open Review web site:

http://opensource.fortifysoftware.com/

This service includes scans using both FindBugs and Fortify's Source Code Analysis, which looks for security bugs such as SQL injection and cross site scripting. Both scans are filtered to produce only the highest priority warnings (for FindBugs, only medium and high priority correctness warnings), although this can be modified on a per-project basis.

Scan results are made available only to individuals authorized by the project to review the results. The web site shows the source lines associated with each warning, so that the warning
can be viewed in context. In fact, you can pretty much navigate the entire source tree, making it a web-based (read-only) IDE. The web site also allows each warning to be flagged as "should fix" or "don't fix" and allows comments to be made on each warning, perhaps explaining why something needs to be fixed, why it doesn't need to be fixed, or who should be responsible for fixing it.

Fortify will download updates from your source code repository on a regular basis, rerun the analysis (including any improvements made to the analysis), and update the web site, retaining any flagging or comments on the warnings made by contributors on the previous analysis results. Thus, once something has been flagged as "don't fix", it stays flagged as "don't fix".

For open source projects, particularly ones with many project members that are geographically distributed, this is _way_ better than running Findbugs, generating an HTML report and posting it on a web site for project members to view.

Are you interested? There is a link on the Java Open Review project web page to submit a project.

We're also looking for some projects that would be brave and let us make all of there results visible to the entire world, so we can show off what FindBugs and Fortify's static analysis can do. Is your project one of those?

Posted by William Pugh 2006-12-25