Posts Tagged ‘JSR-305’

  • Findbugs not recognizing exceptions? Java static analysis

    on May 4, 09 • by Alen Zukich • with 1 Comment

    We’ve posted previously on some of the differences between Findbugs’ open source Java analysis and commercial Java static analysis tools, specifically on the JSR-305 specification and source code versus byte code analysis topics. Due to these differences, many Java shops will use a commercial Java static analysis tool in conjunction with Findbugs to make sure they’re getting as complete issue detection as possible. One area that’s been discussed previously is the ability to identify situations of possible null pointer dereference. This peaked my interest and led me to do some benchmarking against a few open

    Read More »
  • JSR 305: a silver bullet or not a bullet at all?

    on Mar 30, 09 • by Mikhail Ksenzov • with 9 Comments

    JSR-305 is a Java Specification Request intended to improve the effectiveness of static analysis tools operating in Java 5+ environments. The idea here is that one can use special purpose annotations in order to provide static analysis tools with hints regarding the behaviour and side effects of methods. An example of such annotations can be found in the presentation ‘Annotations for Software Defect Detection’ by William Pugh, who is masterminding the whole spec. Here we go: 1: void test() { 2:    if (spec != null) fFragments.add(spec); 3:    if (isComplete(spec)) fPreferences.add(spec); 4: } 6: 5: boolean isComplete(AnnotationPreferences spec)

    Read More »
  • Java source code vs bytecode analysis

    on Jan 6, 09 • by Alen Zukich • with No Comments

    David posted an interesting discussion on the usage of static analysis tools by developers to find security vulnerabilities.  As always the discussion with static analysis tools lean towards the false positive and false negative discussion.  But also David mentions their results are sometimes difficult to understand.   This is one of the reasons Klocwork switched from a bytecode analysis tool for Java to a source code analysis tool.  As both have their advantages and disadvantages (and I admit I’m very biased here) we have certainly found that we have been able to reduce our false positive

    Read More »
Scroll to top