blob: 83ce7a3d90ac5f45ab748a24b5dc717cea3f0c23 [file] [log] [blame]
<html>
<head>
<title>FindBugs&trade; 1.2 Demo and Results</title>
<link rel="stylesheet" type="text/css" href="findbugs.css" />
</head>
<body>
<table width="100%"><tr>
<td bgcolor="#b9b9fe" valign="top" align="left" width="20%">
<table width="100%" cellspacing="0" border="0">
<tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td><b>Docs and Info</b></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/&#26085;&#26412;&#35486;)</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr>
<tr><td>&nbsp;</td></tr>
<tr><td><b>Development</b></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr>
</table>
</td>
<td align="left" valign="top">
<h1>
FindBugs 1.2 demo and results
</h1>
<p>If you just want to try running FindBugs against your
own code, you can
<a href="http://findbugs.cs.umd.edu/demo/jnlp/findbugs.jnlp">run FindBugs</a> using Java Webstart.
This will use our new gui under Java 1.5+ and our old gui under Java 1.4.
The new gui provides a number of new features, but requires Java 1.5+.
Both use exactly the same analysis engine.
</p><p>This web page provides results of running FindBugs 1.2.0
against several open source applications. We provide a summary
of the number of bugs we found, as well as a generated HTML listing
of the bugs and
a <a href="http://java.sun.com/products/javawebstart/">Java
WebStart</a> demo of the new GUI we've introduced in FindBugs version 1.1,
displaying the warnings and the relevant source.
</p><p>The applications and versions of them we report on
are somewhat arbitrary. In some cases, they are release versions,
in other cases nightly builds. We find lots of bugs in every large code
base we examine; these applications are certainly not the worst we have seen.
I have been allowed to confidentially examine the results of running FindBugs
against several closed commercial code bases by well respected companies;
the results I've seen there are not significantly different from
what I've observed in open source code bases.
</p><p><em>Experimental details</em>: These results are from running
FindBugs 1.2.0 at standard effort level. Our results do not include
any low priority warnings or any warnings about vulnerabilities to
malicious code. Although we have (repeatedly) manually audited the results,
we haven't manually filtered out false positives from these warnings,
so that you can get a feeling for the quality of the warnings generated
by FindBugs.
</p><p>Some of the bugs contain audit comments: they are marked as to whether
we thought the warning indicated a bug that should or must be fixed, or whether it was not, in fact, a bug.
</p><p>In the webstart versions, we've only included the bugs for which
we were able to identify source files. The number of lines of non-commenting source
statements in the table below (KNCSS) is derived from the same files
that we analyzed and in which we report bugs; we actually compute
KNCSS from the classfiles, not the source files.
</p><p><em>Vulnerability disclosure</em>: Thankfully, Java isn't C or C++. Dereferencing
a null pointer or accessing outside the bounds of an array generates a runtime
exception rather than a shell exploit. We do not believe that any of the
warnings here represents a security vulnerability, although we have not audited
them to verify that. These projects are all aware of the existence of
FindBugs, and FindBugs is already open source and available
for use both by developers and attackers, we don't believe that making
these results available constitutes a reckless disclosure.
</p><p><em>Recommendations</em>: First, review the correctness warnings.
We feel confident that developers
would want to fix most of the high and medium priority correctness warnings we report.
Once you've reviewed those,
you might want to look at some of the other categories.
</p><p>
In other categories,
such as Bad practice and Dodgy code, we accept more false positives. You
might decide that a pattern bug pattern isn't relevant for your code
base (e.g., you never use Serialization for persistent storage,
so you never care about the fact that you didn't define a serializationUID),
and even for the bug patterns relevant to your code base,
perhaps only a minority will reflect problems serious enough to
convince you to change your code.
</p><p><em>Please be patient</em> The Web start versions not only have to download the applications,
they need to download about 10 megabytes of data and source files. Please
be patient. Sorry we don't have a progress bar for the data and source download;
the ability to remotely download a data and source archive is a little bit of
a hack. We've provided small versions of some of the data sets that include
only the correctness bugs and the source files containing those warnings. The small
datasets are about a quarter of the sizes of the full datasets.
</p>
<p>
</p><table border="2">
<tr><th rowspan="2">Application</th><th colspan="2">Details</th><th colspan="2">Correctness bugs</th><th rowspan="2">Bad Practice</th><th rowspan="2">Dodgy</th><th rowspan="2">KNCSS
</th></tr><tr><th>HTML</th><th>WebStart</th><th>NP bugs</th><th>Other
</th></tr><tr><td align="right">Sun JDK 1.7.0-b12</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/jdk7/index.html">All</a>
</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/jdk7/index.jnlp">All</a>
<a href="http://findbugs.cs.umd.edu/demo/jdk7/small.jnlp">Small</a>
</td><td align="right">68</td><td align="right">180</td><td align="right">954</td><td align="right">654</td><td align="right">597
</td></tr><tr><td align="right">eclipse-SDK-3.3M7-solaris-gtk</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/eclipse/index.html">All</a>
</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/eclipse/index.jnlp">All</a>
<a href="http://findbugs.cs.umd.edu/demo/eclipse/small.jnlp">Small</a>
</td><td align="right">146</td><td align="right">259</td><td align="right">1,079</td><td align="right">643</td><td align="right">1,447
</td></tr><tr><td align="right">netbeans-6_0-m8</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/netbeans/index.html">All</a>
</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/netbeans/index.jnlp">All</a>
<a href="http://findbugs.cs.umd.edu/demo/netbeans/small.jnlp">Small</a>
</td><td align="right">189</td><td align="right">305</td><td align="right">3,010</td><td align="right">1,112</td><td align="right">1,022
</td></tr><tr><td align="right">glassfish-v2-b43</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/glassfish/index.html">All</a>
</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/glassfish/index.jnlp">All</a>
<a href="http://findbugs.cs.umd.edu/demo/glassfish/small.jnlp">Small</a>
</td><td align="right">146</td><td align="right">154</td><td align="right">964</td><td align="right">1,222</td><td align="right">2,176
</td></tr><tr><td align="right">jboss-4.0.5</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/jboss/index.html">All</a>
</td><td align="right">
<a href="http://findbugs.cs.umd.edu/demo/jboss/index.jnlp">All</a>
<a href="http://findbugs.cs.umd.edu/demo/jboss/small.jnlp">Small</a>
</td><td align="right">30</td><td align="right">57</td><td align="right">263</td><td align="right">214</td><td align="right">178
</td></tr></table>
<p><em>KNCSS</em> - Thousands of lines of non-commenting source statements
</p><h2>Bug categories</h2>
<dl>
<dt>Correctness bug
</dt><dd>Probable bug - an apparent coding mistake
resulting in code that was probably not what the
developer intended. We strive for a low false positive rate.
</dd><dt>Bad Practice
</dt><dd>
Violations of recommended and essential
coding practice. Examples include hash code and equals
problems, cloneable idiom, dropped exceptions,
serializable problems, and misuse of finalize.
We strive to make this analysis accurate,
although some groups may
not care about some of the bad practices.
</dd><dt>Dodgy
</dt><dd>
Code that is confusing, anomalous, or
written in a way that leads itself to errors.
Examples include dead local stores, switch fall through,
unconfirmed casts, and redundant null check of value
known to be null.
More false positives accepted.
In previous versions of FindBugs, this category was known as Style.
</dl>
<hr> <p>
<script language="JavaScript" type="text/javascript">
<!---//hide script from old browsers
document.write( "Last updated "+ document.lastModified + "." );
//end hiding contents --->
</script>
<p> Send comments to <a class="sidebar" href="mailto:findbugs@cs.umd.edu">findbugs@cs.umd.edu</a>
<p>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&amp;type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A></td></tr></table>
</body>
</html>