The Java Open Review (JOR) Project is designed to help open sourcesoftware projects identify and fix security and other software errorsbefore they affect application performance or risk.
Kicked off with participation from 10 open sourceprojects, including Tomcat and Zimbra, JOR comes at a time when Java is growing more popular with open source — particularly with Sun Microsystems’move to open Java further with the GNU General Public License (GPL).
“FindBugs has been a vital part of helping Sun’s internal softwaredevelopment process, and it is good to see that open source developerscan now benefit as well,” said Sun App Server Quality EngineeringManager Geoff Halliwell.
With the new JOR Project, Fortify and FindBugs will provide a high-leveloverview of project results, including the most common bugs and securityholes, to the larger open source software community.Results will include the number of security and quality errors found anda breakdown of errors per 1,000 lines of code.
JOR sponsors said leaders of participating open source projects willbe given login access to get more detailed information on the codingerrors to make fixes faster and easier.
Fortify’s technology combs code for security issues, while FindBugs focuses on software quality issues, Brian Chess, Fortify cofounder and chief scientist, told LinuxInsider.
“We’ve got a lot of companies developing online applications usingJava, and almost all use open source components,” he said.
Fortify decided to team with FindBugs, a partner on a similar project started last May, tocentralize the code review for applications using Java and open sourcesoftware, according to Chess.
Most open sourceprojects welcomed the additional review through JOR, Chess said, although he acknowledged there were some reservations over the exposure of code security gaps and imperfections.
Still, he said, “people generally welcome us because we are more eyeballs on theircode.”
Help Against Hackers
All software has bugs, Chess emphasized. The point of JOR isnot to make Java open source programmers look bad, but to help them learn how to get rid of and avoidsoftware bugs.
“As software becomes increasingly intricate, FindBugs and FortifySoftware want to provide open source developers automated tools to helpfind defects in complex code bases, as well as defend against anever-growing pool of sophisticated hackers,” Chess said. “No one ishelping the Java open source community, and we want to fix that.”