FindBug

Introduction to FindBug

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. FindBug is an open source project for free static source code analysis tool created by David Hovemeyer and Bill Pugh which helps you to find the bugs in your java code and improve the code quality. Bug Rank - bugs are given a rank 1-20, and grouped into the categories scariest (rank 1-4), scary (rank 5-9), troubling (rank 10-14), and of concern (rank 15-20).
Scope of applicability (Usage of FindBug)
FindBugs supports only Java at this time limits uses to Java based applications. However, since FindBugs supports detection of various categories of bugs, it can be used in different settings. For Instance, it can be used to detect performance bugs in embedded applications.can be used to detect Concurrency bugs in an application that has complex multithreading. The ability to select which bugs to Scan for makes FindBugs a versatile tool which can be used on various types of codebases.

FindBugs Installation

For Installing FindBugs Plugin from eclipse, select Help->Install New Software Then click add, then provide Name and Location according to the following screenshot
 

 
 Then select the FindBugs version click next and accept the license details, it will install the FindBugs








FindBugs Configuration

Text Box: Here you can apply FindBugs filter, in order to utilizing different Findbugs bug patternsAfter install, you can configure FindBugs from eclipse, Window->Preferences->Java->FindBugs

 

 

 

 


 


FindBug Run



Now, Build the project using Project->Build Project. Right click on the project, and run the FindBugs according to following screenshot.

 

Drawbacks and Benefits
Drawbacks
• FindBugs has detected only syntactic issues, but not semantic errors For example, when we conducted a test against our bug seeded code, it did not detect any seeded bug. The reason was that all the seeded bugs were semantic bugs, not technical bugs.
• While FindBugs have detected many possible bugs, some of the bugs were not real bugs. Some issued bugs were related to programming practice or coding standard. In other word, if a development decide to use another set of coding standard, the result of the tool would not be sufficiently reasonable.
• Even after getting result from the tool, we had to investigate if the issued bugs were real or not. It was because we could not get substantial evidence to believe that all the issues would be real. The nature of the development of filters added such kind of suspect. Each filter corresponding to each bug could be developed by individual developers. This meant that all filters could not have a level of standard quality. Therefore the issued bugs could be only issues; we had to judge the reality of issues.
Benefits
FindBugs is more focused on real bugs rather than stylistic issues. It can detect more than 380 bug patterns ,including such issues as null pointer dereferences, security flaws, concurrency problems, and performance issues. Since FindBugs operates on the Java byte code, it can also analyze JSP pages because JSP code can be pre-compiled to Java classes. FindBugs prioritizes warnings based on the coarse three-level (high, medium, low) priority, which is nowadays renamed to confidence level in FindBugs.
• FindBugs provided good suggestions when a bug was examined in the Eclipse IDE. It provided
detailed descriptions of why a certain class of bug was harmful.
• We encountered a very low number of false positives. So the tool is generally reliable and finds
valid bugs.
• It provided categories of bugs, which we found to be very useful. We found the option of turning
off scanning for certain types of bugs to be a useful feature which would increase the
convenience of using FindBugs in different situations.
• From our experience we think that FindBugs is a good way to learn good coding practices for
Java, especially for the novice software engineer. It helps users find common pieces of bad code
and avoid them in the future.

Usability
From a usability perspective, the tool was very easy to use. We used the Eclipse plug-in for this evaluation, although command line and GUI versions were also available. There is even a Java WebStart version of the tool available online.

Performance
We found the performance of FindBugs to be very good. It was able to analyze 2115 lines of code (not counting comments) in around 9 seconds for the first time. Subsequent scans were considerably shorter.
Compatibility
FindBugs can be easily integrated into various IDEs (e.g. Eclipse), software build systems (e.g. Apache Ant), and continuous integration servers (e.g. Jenkins).

Comments

Post a Comment

Popular posts from this blog

Cross-site Request Forgery(CSRF) protection via Synchronizer Token Patterns and Double Submit Cookies Patterns

Image
What is Cross-site Request Forgery(CSRF) Cross-Site Request Forgery (CSRF)  is a type of attack outlined in the OWASP Top 10  that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated (logged in). The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed. At the most basic level, the reason for a CSRF is that browser's do not understand how to distinguish if an action was performed on purposely by a user (like say by clicking a button o...
Read more

What is Emma ?

Image
What is Emma ?  Emma is an open source toolkit for measuring and reporting Java Code coverage. EMMA is distributed under the terms of Common Public License v 1.0. EMMA is not currently under active development; the last stable release took place in mid-2005. As replacement, JaCoCo was developed.   EMMA works by wrapping each line of code and each condition with a flag, which is set when that line is executed. Features ·          instrument classes for coverage either offline (before they are loaded) or on the fly (using an instrumenting application class loader). ·          Supported coverage types: class, method, line, basic block. EMMA can detect when a single source code line is covered only partially. ·          Coverage stats are aggregated at method, class, package, and "all classes" levels. ·        ...
Read more

DAA SIMULATOR

Introduction ·        Used programming language : Java ·        Algorithms: o     Insertion sort algorithm o    Selection sort algorithm ·        Insertion sort                   One of the simplest methods to sort an array is an insertion sort. An example of an insertion sort occurs in everyday life while playing cards. To sort the cards in your hand you extract a card, shift the remaining cards, and then insert the extracted card in the correct place. This process is repeated until all the cards are in the correct sequence. Following are some of the important characteristics of Insertion Sort. 1.       It has one of the simplest implementation 2.       It is efficient for smaller data sets, but very inefficient for larger ...
Read more