This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes Java Coding Guidelines: automated screening Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines: automated screening" Watch "Java Coding Guidelines: automated screening" New topic

Java Coding Guidelines: automated screening

Joel Neely

Joined: Sep 03, 2013
Posts: 6
Given the growing power of tools such as FindBugs and PMD, how well do you think the range of secure coding concerns can be instrumented by static analysis of source or bytcode?
David Svoboda

Joined: Oct 21, 2013
Posts: 13

Fairly well, but they could do better. Static analysis tools such as FindBugs tend to flag problems which are easy to diagnose. While many coding rules are easy to diagnose automatically, some are quite difficult or impossible. For instance, determining if a Java object variable might be null can require in-depth whole program analysis, and a perfect analysis is not technically feasible now. (and probably will never be). Some tools instead use heuristics (eg if we check that this variable is null 5 times out of 6, than that 6th one is probably an error).

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: Java Coding Guidelines: automated screening
Similar Threads
Why we live?
javascript function call issue on safari Listen fail?
What do I have to use....
build.xml question