Findbugs does a real bad job of findings real security bugs - I would
recommend running the codebase against Fortify + include the new Cigital
rulepack.
Or take a look at the results of the Fortify Open Source Analysis project
https://opensource.fortify.com/teamserver/welcome.fhtml
- Jim
Just out of curiosity, I ran Findbugs 1.3.5 on Tomcat 6.0.18. The
default settings generated some 1400 warnings about possible bugs.
Quite a few of them look serious - assuming that the code which
contains them is being used.
For example, there are quite a few public static fields which are not final.
There are several instances of problems with String handling, e.g.
using == to compare Strings or using String.replace() without
assigning the result.
And there are a few instances of methods which synchronize on a field
in what appears to be an attempt to guard against simultaneous updates
to that field. But guarding a field gets a lock on the referenced
object, not on the field. This is probably not what was intended.
I can provide a listing of the analyis if required, but it might be
easier to use a FindBugs IDE plugin.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
