Fortify Software Inc. and the FindBugs project have launched a free service that will scan open-source Java software for bugs in the code.
The Java Open Review (JOR) project lets open-source projects run audits of their source code using Fortify's source code analysis software and the University of Maryland's FindBugs tool.
With developers focusing on more secure software development practices, the Java community needs more advanced bug-finding tools like JOR, said Barmak Meftah, vice president of product and services, with Fortify. "Everybody understands that the cheapest and easiest point to find and fix security bugs is at the time of implementation," he said.
Open-source developers will now get the benefit of Fortify's Source Code Analysis software, which is already used by commercial vendors such as Oracle Corp. and Adobe Systems Inc. However, the free JOR analysis is not as detailed as one done by Fortify's commercial product.
Fortify Source Code Analysis can find more than 120 categories of software security problems, Meftah said. The JOR analysis will detail about 40 categories, covering "the most egregious types of security vulnerabilities and the types that developers tend to understand most readily," he said.
The details of the free source code analysis will be made available only to project contributors so that JOR cannot be used as a hacking tool, Meftah added.
JOR has been working with a handful of open-source projects over the past six weeks and has discovered hundreds of bugs in applications like Tomcat, Zimbra and Java Pet Store. On Monday, the service will be opened up to any Java open-source projects that want to use it, Meftah said.
Sun Microsystems Inc. already uses FindBugs for its GlassFish open-source application server software, said Geoff Halliwell, a manager of application server quality engineering with Sun.
Though Sun has no immediate plans to audit its application server code with JOR, Halliwell said he would "certainly look at it."