1<html> 2<head> 3<title>FindBugs™ 1.2 Demo and Results</title> 4<link rel="stylesheet" type="text/css" href="findbugs.css" /> 5 6</head> 7 8<body> 9 10<table width="100%"><tr> 11 12 13<td bgcolor="#b9b9fe" valign="top" align="left" width="20%"> 14<table width="100%" cellspacing="0" border="0"> 15<tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr> 16 17<tr><td> </td></tr> 18 19<tr><td><b>Docs and Info</b></td></tr> 20<tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr> 21<tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr> 22<tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr> 23<tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr> 24<tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr> 25<tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr> 26<tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/日本語)</a></font></td></tr> 27<tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr> 28<tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr> 29<tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr> 30<tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr> 31<tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr> 32 33<tr><td> </td></tr> 34 35<tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr> 36 37<tr><td> </td></tr> 38 39<tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr> 40 41<tr><td> </td></tr> 42 43<tr><td><b>Development</b></td></tr> 44<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr> 45<tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr> 46<tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr> 47<tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr> 48<tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr> 49<tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr> 50<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr> 51<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr> 52<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr> 53</table> 54</td> 55 56<td align="left" valign="top"> 57<h1> 58FindBugs 1.2 demo and results 59</h1> 60 61<p>If you just want to try running FindBugs against your 62own code, you can 63<a href="http://findbugs.cs.umd.edu/demo/jnlp/findbugs.jnlp">run FindBugs</a> using Java Webstart. 64This will use our new gui under Java 1.5+ and our old gui under Java 1.4. 65The new gui provides a number of new features, but requires Java 1.5+. 66Both use exactly the same analysis engine. 67 68</p><p>This web page provides results of running FindBugs 1.2.0 69against several open source applications. We provide a summary 70of the number of bugs we found, as well as a generated HTML listing 71of the bugs and 72a <a href="http://java.sun.com/products/javawebstart/">Java 73WebStart</a> demo of the new GUI we've introduced in FindBugs version 1.1, 74displaying the warnings and the relevant source. 75 76 77</p><p>The applications and versions of them we report on 78are somewhat arbitrary. In some cases, they are release versions, 79in other cases nightly builds. We find lots of bugs in every large code 80base we examine; these applications are certainly not the worst we have seen. 81I have been allowed to confidentially examine the results of running FindBugs 82against several closed commercial code bases by well respected companies; 83the results I've seen there are not significantly different from 84what I've observed in open source code bases. 85 86 87</p><p><em>Experimental details</em>: These results are from running 88FindBugs 1.2.0 at standard effort level. Our results do not include 89any low priority warnings or any warnings about vulnerabilities to 90malicious code. Although we have (repeatedly) manually audited the results, 91we haven't manually filtered out false positives from these warnings, 92so that you can get a feeling for the quality of the warnings generated 93by FindBugs. 94</p><p>Some of the bugs contain audit comments: they are marked as to whether 95we thought the warning indicated a bug that should or must be fixed, or whether it was not, in fact, a bug. 96</p><p>In the webstart versions, we've only included the bugs for which 97we were able to identify source files. The number of lines of non-commenting source 98statements in the table below (KNCSS) is derived from the same files 99that we analyzed and in which we report bugs; we actually compute 100KNCSS from the classfiles, not the source files. 101 102</p><p><em>Vulnerability disclosure</em>: Thankfully, Java isn't C or C++. Dereferencing 103a null pointer or accessing outside the bounds of an array generates a runtime 104exception rather than a shell exploit. We do not believe that any of the 105warnings here represents a security vulnerability, although we have not audited 106them to verify that. These projects are all aware of the existence of 107FindBugs, and FindBugs is already open source and available 108for use both by developers and attackers, we don't believe that making 109these results available constitutes a reckless disclosure. 110 111 112</p><p><em>Recommendations</em>: First, review the correctness warnings. 113 We feel confident that developers 114would want to fix most of the high and medium priority correctness warnings we report. 115Once you've reviewed those, 116you might want to look at some of the other categories. 117</p><p> 118In other categories, 119such as Bad practice and Dodgy code, we accept more false positives. You 120might decide that a pattern bug pattern isn't relevant for your code 121base (e.g., you never use Serialization for persistent storage, 122so you never care about the fact that you didn't define a serializationUID), 123and even for the bug patterns relevant to your code base, 124perhaps only a minority will reflect problems serious enough to 125convince you to change your code. 126 127</p><p><em>Please be patient</em> The Web start versions not only have to download the applications, 128 they need to download about 10 megabytes of data and source files. Please 129 be patient. Sorry we don't have a progress bar for the data and source download; 130 the ability to remotely download a data and source archive is a little bit of 131 a hack. We've provided small versions of some of the data sets that include 132 only the correctness bugs and the source files containing those warnings. The small 133 datasets are about a quarter of the sizes of the full datasets. 134 </p> 135<p> 136</p><table border="2"> 137<tr><th rowspan="2">Application</th><th colspan="2">Details</th><th colspan="2">Correctness bugs</th><th rowspan="2">Bad Practice</th><th rowspan="2">Dodgy</th><th rowspan="2">KNCSS 138</th></tr><tr><th>HTML</th><th>WebStart</th><th>NP bugs</th><th>Other 139</th></tr><tr><td align="right">Sun JDK 1.7.0-b12</td><td align="right"> 140 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.html">All</a> 141 </td><td align="right"> 142 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.jnlp">All</a> 143 <a href="http://findbugs.cs.umd.edu/demo/jdk7/small.jnlp">Small</a> 144 </td><td align="right">68</td><td align="right">180</td><td align="right">954</td><td align="right">654</td><td align="right">597 145 146</td></tr><tr><td align="right">eclipse-SDK-3.3M7-solaris-gtk</td><td align="right"> 147 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.html">All</a> 148 </td><td align="right"> 149 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.jnlp">All</a> 150 <a href="http://findbugs.cs.umd.edu/demo/eclipse/small.jnlp">Small</a> 151 </td><td align="right">146</td><td align="right">259</td><td align="right">1,079</td><td align="right">643</td><td align="right">1,447 152 153</td></tr><tr><td align="right">netbeans-6_0-m8</td><td align="right"> 154 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.html">All</a> 155 </td><td align="right"> 156 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.jnlp">All</a> 157 <a href="http://findbugs.cs.umd.edu/demo/netbeans/small.jnlp">Small</a> 158 </td><td align="right">189</td><td align="right">305</td><td align="right">3,010</td><td align="right">1,112</td><td align="right">1,022 159 160</td></tr><tr><td align="right">glassfish-v2-b43</td><td align="right"> 161 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.html">All</a> 162 </td><td align="right"> 163 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.jnlp">All</a> 164 <a href="http://findbugs.cs.umd.edu/demo/glassfish/small.jnlp">Small</a> 165 </td><td align="right">146</td><td align="right">154</td><td align="right">964</td><td align="right">1,222</td><td align="right">2,176 166 167</td></tr><tr><td align="right">jboss-4.0.5</td><td align="right"> 168 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.html">All</a> 169 </td><td align="right"> 170 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.jnlp">All</a> 171 <a href="http://findbugs.cs.umd.edu/demo/jboss/small.jnlp">Small</a> 172 </td><td align="right">30</td><td align="right">57</td><td align="right">263</td><td align="right">214</td><td align="right">178 173 174</td></tr></table> 175<p><em>KNCSS</em> - Thousands of lines of non-commenting source statements 176 177</p><h2>Bug categories</h2> 178<dl> 179<dt>Correctness bug 180</dt><dd>Probable bug - an apparent coding mistake 181 resulting in code that was probably not what the 182 developer intended. We strive for a low false positive rate. 183</dd><dt>Bad Practice 184</dt><dd> 185Violations of recommended and essential 186 coding practice. Examples include hash code and equals 187 problems, cloneable idiom, dropped exceptions, 188 serializable problems, and misuse of finalize. 189 We strive to make this analysis accurate, 190 although some groups may 191 not care about some of the bad practices. 192</dd><dt>Dodgy 193</dt><dd> 194Code that is confusing, anomalous, or 195 written in a way that leads itself to errors. 196 Examples include dead local stores, switch fall through, 197 unconfirmed casts, and redundant null check of value 198 known to be null. 199 More false positives accepted. 200 In previous versions of FindBugs, this category was known as Style. 201</dl> 202 203 204<hr> <p> 205<script language="JavaScript" type="text/javascript"> 206<!---//hide script from old browsers 207document.write( "Last updated "+ document.lastModified + "." ); 208//end hiding contents ---> 209</script> 210<p> Send comments to <a class="sidebar" href="mailto:findbugs@cs.umd.edu">findbugs@cs.umd.edu</a> 211<p> 212<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A></td></tr></table> 213 214</body> 215</html> 216 217 218 219 220
