You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sebb <se...@gmail.com> on 2008/09/27 00:00:47 UTC
Findbugs results when run against Tomcat6
Just out of curiosity, I ran Findbugs 1.3.5 on Tomcat 6.0.18. The
default settings generated some 1400 warnings about possible bugs.
Quite a few of them look serious - assuming that the code which
contains them is being used.
For example, there are quite a few public static fields which are not final.
There are several instances of problems with String handling, e.g.
using == to compare Strings or using String.replace() without
assigning the result.
And there are a few instances of methods which synchronize on a field
in what appears to be an attempt to guard against simultaneous updates
to that field. But guarding a field gets a lock on the referenced
object, not on the field. This is probably not what was intended.
I can provide a listing of the analyis if required, but it might be
easier to use a FindBugs IDE plugin.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Findbugs results when run against Tomcat6
Posted by Leon Rosenberg <ro...@googlemail.com>.
Hello sebb,
just out of curiosity, could you setup a webpage with your results or
make them available via email or download ?
Leon
On Sat, Sep 27, 2008 at 12:00 AM, sebb <se...@gmail.com> wrote:
> Just out of curiosity, I ran Findbugs 1.3.5 on Tomcat 6.0.18. The
> default settings generated some 1400 warnings about possible bugs.
>
> Quite a few of them look serious - assuming that the code which
> contains them is being used.
>
> For example, there are quite a few public static fields which are not final.
>
> There are several instances of problems with String handling, e.g.
> using == to compare Strings or using String.replace() without
> assigning the result.
>
> And there are a few instances of methods which synchronize on a field
> in what appears to be an attempt to guard against simultaneous updates
> to that field. But guarding a field gets a lock on the referenced
> object, not on the field. This is probably not what was intended.
>
> I can provide a listing of the analyis if required, but it might be
> easier to use a FindBugs IDE plugin.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Findbugs results when run against Tomcat6
Posted by Mark Thomas <ma...@apache.org>.
Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
> rulepack.
>
> Or take a look at the results of the Fortify Open Source Analysis project
>
> https://opensource.fortify.com/teamserver/welcome.fhtml
Past experience with that site and it's ability to find genuine security
bugs wasn't great. For example, with 4.1.10 if found a whole handful of
false positives and no genuine security issues. It isn't as if there were
plenty to find (http://tomcat.apache.org/security-4.html).
I made some suggestions on what needed to be done to improve it over a year
ago. As yet, there has been no response although it appears that some of
those suggestions have been acted on which is a positive sign.
Out of curiosity and I did try and request an account today to look at the
latest Tomcat 6 results but the request an account link only shows the
login page. I found an e-mail address so I have sent my request there.
My previous conclusion was that findbugs on its own would be a better bet
for finding bugs but I never got around to trying it. Sebb's e-mail has
prompted me to download it and see what the results look like.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Findbugs results when run against Tomcat6
Posted by Jim Manico <ji...@manico.net>.
Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
rulepack.
Or take a look at the results of the Fortify Open Source Analysis project
https://opensource.fortify.com/teamserver/welcome.fhtml
- Jim
> Just out of curiosity, I ran Findbugs 1.3.5 on Tomcat 6.0.18. The
> default settings generated some 1400 warnings about possible bugs.
>
> Quite a few of them look serious - assuming that the code which
> contains them is being used.
>
> For example, there are quite a few public static fields which are not final.
>
> There are several instances of problems with String handling, e.g.
> using == to compare Strings or using String.replace() without
> assigning the result.
>
> And there are a few instances of methods which synchronize on a field
> in what appears to be an attempt to guard against simultaneous updates
> to that field. But guarding a field gets a lock on the referenced
> object, not on the field. This is probably not what was intended.
>
> I can provide a listing of the analyis if required, but it might be
> easier to use a FindBugs IDE plugin.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Findbugs results when run against Tomcat6
Posted by Jonathan Holloway <jo...@gmail.com>.
You can also set this up to run as part of the Gump build and get the
warnings/errors
etc... recorded as part of a standard build.
Jon.
2008/9/26 sebb <se...@gmail.com>
> Just out of curiosity, I ran Findbugs 1.3.5 on Tomcat 6.0.18. The
> default settings generated some 1400 warnings about possible bugs.
>
> Quite a few of them look serious - assuming that the code which
> contains them is being used.
>
> For example, there are quite a few public static fields which are not
> final.
>
> There are several instances of problems with String handling, e.g.
> using == to compare Strings or using String.replace() without
> assigning the result.
>
> And there are a few instances of methods which synchronize on a field
> in what appears to be an attempt to guard against simultaneous updates
> to that field. But guarding a field gets a lock on the referenced
> object, not on the field. This is probably not what was intended.
>
> I can provide a listing of the analyis if required, but it might be
> easier to use a FindBugs IDE plugin.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
--
Web: http://www.jonathanholloway.co.uk
Mail: jonathan.holloway@gmail.com
IM: jonathan_philip_holloway@hotmail.com