Evalution of FindBugs

Arooj Fatima
Anam Khan
Sumaya Basheer
Description

• Static Analysis tool that finds bugs in

Java code
• Open- source and multi-platform
• Analyzes byte code instead of source
code
• Analysis based on bug patterns
• Available as standalone or plugin
 How it works?
Use “bug patterns” to detect potential bugs
FindBugs comes with over 800+ rules divided into different categories:
Correctness
E.g. infinite recursive loop, reads a field that is never written
Bad practice
E.g. code that drops exceptions or fails to close file
Performance
E.g. Method concatenates strings using + in a loop
Multithreaded correctness
E.g.Incorrect lazy initialization and update of static field
Security
E.g.Hardcoded constant database password
Dodgy
E.g. unused local variables or unchecked casts
 How it works?
Use “bug patterns” to detect potential bugs
FindBugs comes with over 800+ rules divided into different categories:
Experimental
E.g. Methods may fail to clean up stream or reasources
internationalization
E.g.Default encding
 How it works?
Use “bug patterns” to detect potential bugs

public boolean equals(Object obj) {

NullPointerExcep OfConcernRankBugs object =
tion (OfConcernRankBugs) obj;
return
this.getPlaceHolder().equals(object.getPlaceH
older());
}
public class ShoppingCart {
private List items;
Uninitialized public addItem(Item item) {
field items.add(item);
}
}
 How it works?
Bad practice

statement =
Method may fail to close
getConnection_dmiConstantDbPasswordCORR
database resource on
ECT().prepareStatement(query);
expectation

Comparison of String
System.out.println(" - " + (string1 ==
objects using == or !=
string2));
 How it works?
Correctness

final Long value = (Long) doubleValue;

Impossible cast

if (null != value & value.length() > 2) {

System.out.println(String.format(" - "
Possible null pointer + value));
dereference }
 How it works?
Experimental

Method fail to clean up resultSet = statement.executeQuery();

resource

Method fail to clean up statement =

resource or stream on getConnection_dmiConstantDbPasswordCORR
checked exception ECT().prepareStatement(query);
 How it works?
Malicious code vulnerability

Feild isn't final but should protected static List<String> sessionList =

be new ArrayList<String>();

Field should be package protected static long lastTime =

protected System.currentTimeMillis();
 How it works?
Multithreaded correctness

Method Called synchronized (this) {

thread.sleep() with a lock Thread.sleep(5000);
held }

private void emptySynchronized() {

Empty Synchoronised block
synchronized (this) {
// Forgot implementation
}
}
 How it works?
Performance

Private Method never called private void executeSomeConditions() {

if
("SomeValue".equals(this.checkStrValue)) {
// Condition 1
} else if
("SomeValue".equals(this.checkStrValue)) {
// Condition 2
}
}
 How it works?
Dodgy Code

Load of known null value final String value = null;

if (null != value & value.length() > 2) {};

if ("SomeValue".equals(this.checkStrValue)) {
// Condition 1
Useless control flow
} else if
("SomeValue".equals(this.checkStrValue)) {
// Condition 2
};
 How it works?
Security

Empty database password connection =

DriverManager.getConnection("jdbc:derby:me
mory:myDB;create=true", "APP", "");

Hardcoded constant connection =

database password DriverManager.getConnection("jdbc:derby:me
mory:myDB;create=true", "APP",
"my-secret-password");
 OWASP Top 10 of web application vulnerabilities

1.Injection
2.Broken Authentication
3.Sensitive data exposure Anyone building a web-
4. XML External Entities (XXE) application should know
5.Broken Access control about these vulnerabilities:
6.Security misconfigurations
7.Cross Site Scripting (XSS)
8.Insecure Deserialization
9.Using Components with known
vulnerabilities
10.Insufficient logging and
monitoring
1. XML External Entities (XXE)

Injection
Trust boundary violation
Sensitive data exposure
Secure flag
XML External Entities (XXE)
 How about False alarms?
false positive

public class Thingy {

private final Lock lock = new
ReentrantLock();
private boolean shutdown;
public void shutdown() {
lock.lock();
shutdown = true;
lock.unlock();
}
}
FindBugs complains that
"Thingy.shutdown() does not release
lock on all exception paths"
 Why use FindBugs
●Finding bug in java program
●Prevent human error
●Learn from error
 How to use FindBugs?
3 flavours

GUI

Plugin

CommandLine
 GUI?
lets have a look

Select File | New project

 GUI?
lets have a look

Select byte code files and their

source code [Point to jar files or
class files]

[Point to java
files]
 Command prompt?
lets see Commands

Directory
To open findbugs GUI: name

C:\>java -jar D:/findbugs-

3.0.1/lib/findbugs.jar
 Command prompt?
lets see Commands

General Commands:
 License?
it's open source

1. Free software released under the LGPL

2. A University of Maryland project that has received funding from Google,

Sun Microsystems, NSF, Fortify Software, SureLogic and the IBM Eclipse
Innovation award
Thank You! 
Any Questions?