Fortify Software, which is used as a sort of gauntlet for vetting web app security holes, is teaming with FindBug to open a public clearinghouse for identifying bugs in open source Java software.
The site, called the Java Open Source forum, pools results from FindBug’s and Fortify’s tools. Both look for different types of vulnerabilities. While Fortify conducts static analyses to look for security problems, the FindBug tool identifies more mundane defects such as use of an incorrect operator or invoking of a method incorrectly.
The FindBug tooling would be typically used before running code through a more dynamic debugging tool. It originated from grad student research project at the University of Maryland.
The goal is providing a clearinghouse that will help speed up open source software development and provide a seal of assurance to users of open source software.
The site won’t be a free for all. Fortify and FindBug will focus on choosing high impact open source Java projects. For now there won’t be any formal criteria, but that may develop over time. The site will publish results on the number of bugs and provide links to the maintainers, but will restrict disclosure of the bugs themselves to the originators of the code.