Any recommendation for Code Scanning tools? for Java, JBoss, MySQL, Apache, Linux platform.

Posted on 2007-09-30
Last Modified: 2013-12-12
We are building an online ticketing system through an offshore developer (using open source - java, Mysql, JBoss, Apache, Linux).

We want to ensure that the source code handed over to us will be of good quality and maintainable, we were also told to have code scan utilities to check the source code for bugs and security vulnerabilities.

What are the commercially available code scaning tools for us to include as a requirement in the Scope of Works?

Question by:mactus
    LVL 5

    Assisted Solution

    I commend your approach for looking to automate your testing. The best code scanning utilities is actually the compiler itself. Unfortunately, it is also the worst at detecting all the errors that you will run into. The best way to make sure your software works when delivered is to run it.

    Plan to spend more time testing. Only test the deliverables that you actually want to work. I've seen a proprietary trading firm die in one afternoon when their black box got stuck in an infinite loop. It kept on buying MSFT moving the price up several points before the server was finally unplugged.

    Add a phase for defining processes for testing the workflows of your ticker system. The extra hassle of setting up a testing environment is always worth it.

    In terms of ensuring that the code is maintainable, nothing beats a code review. You need at least one senior developer that you plan on retaining. Complete an initial coding milestone using specs that you and your developer helped write. Then have the developer review the code. Even if this initial milestone is bogus, it would still be helpful. That's the best way to ensure that your offshore team will work well for a larger project.

    LVL 9

    Assisted Solution

    by:Suhas .
    Hi Mactus,

    The Best way is Code Coverage Analysis...

    1. Statement coverage
    2. Decision Coverage
    3. Conditional Coverage

    For more reference:

    LVL 33

    Accepted Solution

    You also might take a look at:
    LVL 5

    Assisted Solution

    The main problem with bullseye is clearly stated in the first few paragraphs:

         You use coverage analysis to assure quality of your set of tests, not the quality of the actual product.

    So this assumes that you already have some tests and you want to know how much of the code it tests. Great, but the software is not an expert system. It cannot reveal security vulnerabilities. And using this requires a large investment that does not directly yield quality or increased security.

    You want an open source <a href="">expert system</a> that's smart about web development. Think about it a little. Several factors work against the existence of this. Open source developers focus on software whose proprietary equivalents already have a high profile: Operating systems, languages, office-productivity etc.  Developing the product requires experts in the web-development world.  Most of these guys have reached a point in their lives where they have too little time to devote to open source. Finally, even if there was an expert in java-web-development, they'd also have to be skilled in the fine arts of Artificial Intelligence. That's three strikes. Open source focused, cross-trained, corporate web development professionals are as rare as green unicorns with pink polka dot tongues.

    Kudos to you for asking the question. However, your best bet is to use a senior web-development expert's skills directly.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    A high-level exploration of how our ever-increasing access to information has changed the way we do our jobs.
    The Quality Assurance engineer of an Agile scrum team must "own" the acceptance criteria for sprint tasks.
    This video shows how use content aware, what it’s used for, and when to use it over other tools.
    Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now