1 <html> 2 <head> 3 <title>FindBugs™ 1.2 Demo and Results</title> 4 <link rel="stylesheet" type="text/css" href="findbugs.css" /> 5 6 </head> 7 8 <body> 9 10 <table width="100%"><tr> 11 12 13 <td bgcolor="#b9b9fe" valign="top" align="left" width="20%"> 14 <table width="100%" cellspacing="0" border="0"> 15 <tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr> 16 17 <tr><td> </td></tr> 18 19 <tr><td><b>Docs and Info</b></td></tr> 20 <tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr> 21 <tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr> 22 <tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr> 23 <tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr> 24 <tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr> 25 <tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr> 26 <tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/日本語)</a></font></td></tr> 27 <tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr> 28 <tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr> 29 <tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr> 30 <tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr> 31 <tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr> 32 33 <tr><td> </td></tr> 34 35 <tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr> 36 37 <tr><td> </td></tr> 38 39 <tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr> 40 41 <tr><td> </td></tr> 42 43 <tr><td><b>Development</b></td></tr> 44 <tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr> 45 <tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr> 46 <tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr> 47 <tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr> 48 <tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr> 49 <tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr> 50 <tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr> 51 <tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr> 52 <tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr> 53 </table> 54 </td> 55 56 <td align="left" valign="top"> 57 <h1> 58 FindBugs 1.2 demo and results 59 </h1> 60 61 <p>If you just want to try running FindBugs against your 62 own code, you can 63 <a href="http://findbugs.cs.umd.edu/demo/jnlp/findbugs.jnlp">run FindBugs</a> using Java Webstart. 64 This will use our new gui under Java 1.5+ and our old gui under Java 1.4. 65 The new gui provides a number of new features, but requires Java 1.5+. 66 Both use exactly the same analysis engine. 67 68 </p><p>This web page provides results of running FindBugs 1.2.0 69 against several open source applications. We provide a summary 70 of the number of bugs we found, as well as a generated HTML listing 71 of the bugs and 72 a <a href="http://java.sun.com/products/javawebstart/">Java 73 WebStart</a> demo of the new GUI we've introduced in FindBugs version 1.1, 74 displaying the warnings and the relevant source. 75 76 77 </p><p>The applications and versions of them we report on 78 are somewhat arbitrary. In some cases, they are release versions, 79 in other cases nightly builds. We find lots of bugs in every large code 80 base we examine; these applications are certainly not the worst we have seen. 81 I have been allowed to confidentially examine the results of running FindBugs 82 against several closed commercial code bases by well respected companies; 83 the results I've seen there are not significantly different from 84 what I've observed in open source code bases. 85 86 87 </p><p><em>Experimental details</em>: These results are from running 88 FindBugs 1.2.0 at standard effort level. Our results do not include 89 any low priority warnings or any warnings about vulnerabilities to 90 malicious code. Although we have (repeatedly) manually audited the results, 91 we haven't manually filtered out false positives from these warnings, 92 so that you can get a feeling for the quality of the warnings generated 93 by FindBugs. 94 </p><p>Some of the bugs contain audit comments: they are marked as to whether 95 we thought the warning indicated a bug that should or must be fixed, or whether it was not, in fact, a bug. 96 </p><p>In the webstart versions, we've only included the bugs for which 97 we were able to identify source files. The number of lines of non-commenting source 98 statements in the table below (KNCSS) is derived from the same files 99 that we analyzed and in which we report bugs; we actually compute 100 KNCSS from the classfiles, not the source files. 101 102 </p><p><em>Vulnerability disclosure</em>: Thankfully, Java isn't C or C++. Dereferencing 103 a null pointer or accessing outside the bounds of an array generates a runtime 104 exception rather than a shell exploit. We do not believe that any of the 105 warnings here represents a security vulnerability, although we have not audited 106 them to verify that. These projects are all aware of the existence of 107 FindBugs, and FindBugs is already open source and available 108 for use both by developers and attackers, we don't believe that making 109 these results available constitutes a reckless disclosure. 110 111 112 </p><p><em>Recommendations</em>: First, review the correctness warnings. 113 We feel confident that developers 114 would want to fix most of the high and medium priority correctness warnings we report. 115 Once you've reviewed those, 116 you might want to look at some of the other categories. 117 </p><p> 118 In other categories, 119 such as Bad practice and Dodgy code, we accept more false positives. You 120 might decide that a pattern bug pattern isn't relevant for your code 121 base (e.g., you never use Serialization for persistent storage, 122 so you never care about the fact that you didn't define a serializationUID), 123 and even for the bug patterns relevant to your code base, 124 perhaps only a minority will reflect problems serious enough to 125 convince you to change your code. 126 127 </p><p><em>Please be patient</em> The Web start versions not only have to download the applications, 128 they need to download about 10 megabytes of data and source files. Please 129 be patient. Sorry we don't have a progress bar for the data and source download; 130 the ability to remotely download a data and source archive is a little bit of 131 a hack. We've provided small versions of some of the data sets that include 132 only the correctness bugs and the source files containing those warnings. The small 133 datasets are about a quarter of the sizes of the full datasets. 134 </p> 135 <p> 136 </p><table border="2"> 137 <tr><th rowspan="2">Application</th><th colspan="2">Details</th><th colspan="2">Correctness bugs</th><th rowspan="2">Bad Practice</th><th rowspan="2">Dodgy</th><th rowspan="2">KNCSS 138 </th></tr><tr><th>HTML</th><th>WebStart</th><th>NP bugs</th><th>Other 139 </th></tr><tr><td align="right">Sun JDK 1.7.0-b12</td><td align="right"> 140 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.html">All</a> 141 </td><td align="right"> 142 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.jnlp">All</a> 143 <a href="http://findbugs.cs.umd.edu/demo/jdk7/small.jnlp">Small</a> 144 </td><td align="right">68</td><td align="right">180</td><td align="right">954</td><td align="right">654</td><td align="right">597 145 146 </td></tr><tr><td align="right">eclipse-SDK-3.3M7-solaris-gtk</td><td align="right"> 147 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.html">All</a> 148 </td><td align="right"> 149 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.jnlp">All</a> 150 <a href="http://findbugs.cs.umd.edu/demo/eclipse/small.jnlp">Small</a> 151 </td><td align="right">146</td><td align="right">259</td><td align="right">1,079</td><td align="right">643</td><td align="right">1,447 152 153 </td></tr><tr><td align="right">netbeans-6_0-m8</td><td align="right"> 154 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.html">All</a> 155 </td><td align="right"> 156 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.jnlp">All</a> 157 <a href="http://findbugs.cs.umd.edu/demo/netbeans/small.jnlp">Small</a> 158 </td><td align="right">189</td><td align="right">305</td><td align="right">3,010</td><td align="right">1,112</td><td align="right">1,022 159 160 </td></tr><tr><td align="right">glassfish-v2-b43</td><td align="right"> 161 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.html">All</a> 162 </td><td align="right"> 163 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.jnlp">All</a> 164 <a href="http://findbugs.cs.umd.edu/demo/glassfish/small.jnlp">Small</a> 165 </td><td align="right">146</td><td align="right">154</td><td align="right">964</td><td align="right">1,222</td><td align="right">2,176 166 167 </td></tr><tr><td align="right">jboss-4.0.5</td><td align="right"> 168 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.html">All</a> 169 </td><td align="right"> 170 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.jnlp">All</a> 171 <a href="http://findbugs.cs.umd.edu/demo/jboss/small.jnlp">Small</a> 172 </td><td align="right">30</td><td align="right">57</td><td align="right">263</td><td align="right">214</td><td align="right">178 173 174 </td></tr></table> 175 <p><em>KNCSS</em> - Thousands of lines of non-commenting source statements 176 177 </p><h2>Bug categories</h2> 178 <dl> 179 <dt>Correctness bug 180 </dt><dd>Probable bug - an apparent coding mistake 181 resulting in code that was probably not what the 182 developer intended. We strive for a low false positive rate. 183 </dd><dt>Bad Practice 184 </dt><dd> 185 Violations of recommended and essential 186 coding practice. Examples include hash code and equals 187 problems, cloneable idiom, dropped exceptions, 188 serializable problems, and misuse of finalize. 189 We strive to make this analysis accurate, 190 although some groups may 191 not care about some of the bad practices. 192 </dd><dt>Dodgy 193 </dt><dd> 194 Code that is confusing, anomalous, or 195 written in a way that leads itself to errors. 196 Examples include dead local stores, switch fall through, 197 unconfirmed casts, and redundant null check of value 198 known to be null. 199 More false positives accepted. 200 In previous versions of FindBugs, this category was known as Style. 201 </dl> 202 203 204 <hr> <p> 205 <script language="JavaScript" type="text/javascript"> 206 <!---//hide script from old browsers 207 document.write( "Last updated "+ document.lastModified + "." ); 208 //end hiding contents ---> 209 </script> 210 <p> Send comments to <a class="sidebar" href="mailto:findbugs (a] cs.umd.edu">findbugs (a] cs.umd.edu</a> 211 <p> 212 <A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A></td></tr></table> 213 214 </body> 215 </html> 216 217 218 219 220
