A whitepaper published on Monday by code auditing firm Fortify Software found that open-source projects written in Java have an order of magnitude fewer defects than those written in other languages, but the sample code provided to developers continues to be buggy.
The eight-page study, available from the company's Web site, showed some details of bugs found through the Java Open Review, a project currently being run by Fortify and the FindBugs project at the University of Maryland at College Park. While the initiative has reviewed dozens of projects, the study focused on the four--Hibernate, Spring, Struts and Tomcat--and found an average defect rate of 0.07 bugs per thousand lines of code.
The defect rate is an order of magnitude lower than comparable projects written in C and C++, but the projects' developers still need to watch out for sample code that contains bugs as well as library interfaces that could allow bad programming, the study found.
"The way some of the projects are written encourages developers to make security mistakes when they use the code," Brian Chess, Fortify's chief scientist and one of the authors of the report, said in a statement. "Given the evidence of Java's strong security, we want to make sure open source developers have the ability to repair weaknesses before they pose a risk to end users."
Fortify and its competitor, Coverity, have both offered free scanning for certain well-known open-source programs. The projects have found a large number of flaws in open-source driver code and Web applications. Fortify previously announced a system to help developers classify flaws, which the company hoped would also educate developers about the various types of vulnerabilities for which they have to look.
The most common software flaws found by the Java Open Review are cross-site scripting issues.
Posted by: Robert Lemos