Eliminating bugs and security vulnerabilities in open source software
Fortify Software in partnership with FindBugs has launched the Java Open Review (JOR) Project. The JOR Project invites the open source software community to submit their Java software projects for a quality and security review. The efforts are being led by qualified volunteers using Fortify Source Code Analysis (SCA), the world’s most proven and widely used source code security analysis solution, and FindBugs, which is used by nearly 300,000 developers at hundreds of leading global companies to find bugs in Java code.
The goal of the JOR Project is to boost the security and quality of open source software written in Java, one of the fastest growing programming languages used by open source software developers. Fortify and FindBugs are providing the review to help open source software project owners identify and fix quality and security errors quickly – before they affect the performance of the software or pose a security risk to users.
As part of the JOR Project, Fortify and FindBugs will provide a high-level overview of the review results to the larger community of open source software users. The overview of results will include the number of security and quality errors discovered and the errors per thousand lines of code. The leaders of the participating open source projects are provided login access in order to gain detailed information on the coding errors identified so they can fix problems quickly.
The project has kicked off with participation from 10 widely used open source projects that have already been reviewed for security vulnerabilities and quality bugs using Fortify SCA and FindBugs. One of the most common defects discovered in this initial effort is cross-site scripting, a security vulnerability that when exploited can result in the browser executing malicious code. The most common quality bug identified was the null pointer dereference, which can cause programmes to crash, or worse, lead to data corruption. The 10 projects that participated in the initial JOR Project report include: Azureus, Hyperic, Java Petstore 2.0, Lucene, Nutch, Solr, Tomcat, Webgoat, and Zimbra.