• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java Coding Guidelines: automated screening

 
Joel Neely
Greenhorn
Posts: 9
1
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Given the growing power of tools such as FindBugs and PMD, how well do you think the range of secure coding concerns can be instrumented by static analysis of source or bytcode?
 
David Svoboda
Author
Greenhorn
Posts: 13
5
Debian Java Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Fairly well, but they could do better. Static analysis tools such as FindBugs tend to flag problems which are easy to diagnose. While many coding rules are easy to diagnose automatically, some are quite difficult or impossible. For instance, determining if a Java object variable might be null can require in-depth whole program analysis, and a perfect analysis is not technically feasible now. (and probably will never be). Some tools instead use heuristics (eg if we check that this variable is null 5 times out of 6, than that 6th one is probably an error).
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic