Code auditing firm Fortify Software announced on Monday that the company is teaming up with quality-testing project FindBugs to offer a free scanning service to any Java programmer aimed at automatically detecting quality defects and security bugs.
The project, dubbed Java Open Review, will allow any project written in Java to be submitted by a contributor to be scanned using both Fortify's auditing tool and the FindBugs engine. The two organizations have already scanned ten open-source projects written in Java, including the Azureus Bittorrent application, the Zimbra Web e-mail server, and the Apache Tomcat Java server.
The project has gotten support from both Sun Microsystems, the creator of Java, and Google, a heavy user of the programming language.
"Regardless of how talented and meticulous a developer is, bugs and security vulnerabilities will be found in any body of code open source or commercial," Josh Bloch, chief Java architect at Google, said in a statement announcing the project. "Given this inevitably, it's critical that all developers take the time and measures to find and fix these errors."
Fortify's competitors, Coverity, has also offered free scanning for certain well-known open-source programs. A large number of flaws in open-source software appears in driver code and Web applications. Fortify previously announced a system to help developers classify flaws, which the company hoped would also educate developers about the various types of vulnerabilities for which they have to look.
The project lists basic statistics on the public site regarding each submitted project: the portion of project scanned, the number of defects found overall and the average number found per thousand lines of code. However, the exact description of the errors will only be available to project contributors.
Posted by: Robert Lemos