Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Any recommendation for Code Scanning tools? for Java, JBoss, MySQL, Apache, Linux platform.

Posted on 2007-09-30
Medium Priority
Last Modified: 2013-12-12
We are building an online ticketing system through an offshore developer (using open source - java, Mysql, JBoss, Apache, Linux).

We want to ensure that the source code handed over to us will be of good quality and maintainable, we were also told to have code scan utilities to check the source code for bugs and security vulnerabilities.

What are the commercially available code scaning tools for us to include as a requirement in the Scope of Works?

Question by:mactus
  • 2

Assisted Solution

mkatmonkey earned 750 total points
ID: 19993610
I commend your approach for looking to automate your testing. The best code scanning utilities is actually the compiler itself. Unfortunately, it is also the worst at detecting all the errors that you will run into. The best way to make sure your software works when delivered is to run it.

Plan to spend more time testing. Only test the deliverables that you actually want to work. I've seen a proprietary trading firm die in one afternoon when their black box got stuck in an infinite loop. It kept on buying MSFT moving the price up several points before the server was finally unplugged.

Add a phase for defining processes for testing the workflows of your ticker system. The extra hassle of setting up a testing environment is always worth it.

In terms of ensuring that the code is maintainable, nothing beats a code review. You need at least one senior developer that you plan on retaining. Complete an initial coding milestone using specs that you and your developer helped write. Then have the developer review the code. Even if this initial milestone is bogus, it would still be helpful. That's the best way to ensure that your offshore team will work well for a larger project.


Assisted Solution

by:Suhas .
Suhas . earned 300 total points
ID: 20032842
Hi Mactus,

The Best way is Code Coverage Analysis...

1. Statement coverage
2. Decision Coverage
3. Conditional Coverage

For more reference:


LVL 33

Accepted Solution

Jeroen Rosink earned 450 total points
ID: 20032873
You also might take a look at:

Assisted Solution

mkatmonkey earned 750 total points
ID: 20034464
The main problem with bullseye is clearly stated in the first few paragraphs:

     You use coverage analysis to assure quality of your set of tests, not the quality of the actual product.

So this assumes that you already have some tests and you want to know how much of the code it tests. Great, but the software is not an expert system. It cannot reveal security vulnerabilities. And using this requires a large investment that does not directly yield quality or increased security.

You want an open source <a href="http://en.wikipedia.org/wiki/Expert_system">expert system</a> that's smart about web development. Think about it a little. Several factors work against the existence of this. Open source developers focus on software whose proprietary equivalents already have a high profile: Operating systems, languages, office-productivity etc.  Developing the product requires experts in the web-development world.  Most of these guys have reached a point in their lives where they have too little time to devote to open source. Finally, even if there was an expert in java-web-development, they'd also have to be skilled in the fine arts of Artificial Intelligence. That's three strikes. Open source focused, cross-trained, corporate web development professionals are as rare as green unicorns with pink polka dot tongues.

Kudos to you for asking the question. However, your best bet is to use a senior web-development expert's skills directly.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Starting up a Project

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question