Replies: 1 comment
-
Please find the reports of Spotbugs on the non-compliant examples of the SEI Cert Guide attached (single page html in zip). All code code examples are taken from the https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java Spotbugs 4.7.3 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dear Code-Owners, Contributors, Users,
We at Ericsson evaluated some open-source static analyzer tools for java and found that Spotbugs has already a
nice coverage for the SEI CERT Oracle Coding Standard for Java coding guideline (https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java).
The guideline contains rules for secure coding in the Java programming language with the goal to eliminate insecure coding practices that can lead to exploitable vulnerabilities.
We would like to increase this coverage by implementing checkers for yet uncovered rules and contribute these changes back to upstream Spotbugs.
What do you think about this initiative?
Would it be a good fit for the other Spotbugs detectors and the future development directions of this tool?
We have initiated some PRs which you already reviewed and merged.
@iloveeclipse, @ThrawnCA, @KengoTODA, @hazendaz ... Thanks for that!
FindOverridableMethodCall
to detect indirect cases #1716We try to be pragmatic and implement the rules to be practical and useful
in catching real security issues without giving too many noisy findings.
The results are evaluated on these open-source projects:
matsim-libs, jenkins, bittorrent, opengrok, spotbugs, nanohttpd, ttorrent.
From our team mainly @JuditKnoll works on the new detectors taking over
from @baloghadamsoftware who has less time for this project.
We also have a few student contributors.
We pre-review their work to decrease review workload on code-owners.
Please let us know if there is anything we can do to help the
release process. I see that @hazendaz pointed out some issues.
We will try to be helpful there. :)
Is there anyone else out there interested to join this initiative as a reviewer/implementer?
Thanks & Regards,
Daniel
Beta Was this translation helpful? Give feedback.
All reactions