FindBugs Static Analyzer and AWARE in Eclipse
|1.0||Background of FindBugs and AWARE|
|2.0||Installing FindBugs+AWARE Plug-in|
The authors of FindBugs have made some observations on why some relatively obvious and embarassing bugs occur when writing Java programs:
They share more details on these reasons in their paper called "Finding Bugs is Easy," which also gives their methods for implementing FindBugs. FindBugs is a static analysis tool that is both a stand-alone Java application and an Eclipse plug-in. Using the Visitor Pattern (Wikipedia), FindBugs looks for different "bug patterns" in the bytecode of your Java project. Each pattern visits each source file looking for matches.
There are four strategies that FindBugs uses to find vulnerabilities in Java bytecode:
FindBugs is able to find six different categories of vulnerabilities:
All static analysis tools have a draw back of a high number of false positives (warnings about correct code), however, FindBugs has a lower false positive rate than other static analysis tools.
AWARE is a wrapper for the FindBugs application and was developed at North Carolina State University. AWARE collects alerts from FindBugs and displays them to the user with some additional information, including a ranking and a severity. AWARE also collects usage data on Eclipse.
Use the AWARE update site to install.
Start Eclipse. Choose Help > Software Updates > Find and Install > Search for new features to install > New Remote site.
Name: AWARE; URL: http://www.realsearchgroup.org/aware/AWARE/Java/AWARE-UPDATE/
Alternatively, you can use the FindBugs update site, which does not contain any of the AWARE functionality described in this tutorial.
NAME: FindBugs; URL: http://findbugs.cs.umd.edu/eclipse/
Click OK, verify that only FindBugs is checked, click Finish.
For more information on installing plug-ins in Eclipse, see this Tutorial on the subject.
There are two ways to run FindBugs. The first involves selecting the option to run FindBugs every time you want to statically analyze your code. The other way is to have FindBugs run in the background after every Java resource change.
To run FindBugs:
3.1 Right click on the project. Select FindBugs > FindBugs (see Fig. 3a below). FindBugs will run in the foreground, blocking all other development. If you have a large project, it may take a few minutes for FindBugs to complete.
Note: FindBugs runs its full analysis once, and then only analyzes files that change in your project -- so it will be much faster after the initial analysis. However, FindBugs will have to re-run its full analysis every time you log in on a lab machine because the Eclipse workspace is cleaned. This will not happen on a personal machine.
To run FindBugs continuously in the background:
3.2 Right click on the project. Select Properties > FindBugs. Check the Run FindBugs automatically box (see Fig. 3b below). This will cause FindBugs to run every time a resource in a project is modified.
FindBugs gives you the option of selecting which of the bug patterns that you want the plug-in to look for in your code.
4.1 Right click on the project. Select Properties > FindBugs (see Fig. 3b above).
4.2 You may choose the minimum priority of a bug to report. The default is medium. This reduces the number of false positives of reported bugs.
4.3 The category of vulnerability to search for may also be selected. For example, if you are more concerned with Performance problems and you have a large project, you may want to only look for performance vulnerabilities. Each bug patterns maps to exactly one category.
4.4 Lastly, you can select specific patterns that you want the plug-in to look for. Several of the patterns take a longer time than other patterns, so you may want to take this under consideration when selecting which patterns to look for. More information about the patterns, including speed in on the Bug Descriptions page.
AWARE collects compiler errors and FindBugs static analysis alerts and allows the user to filter out alerts and keeps track of which alerts have been fixed.
5.1 In the Eclipse menu bar, select Window > Show View > Other. Expand the folder named 'AWARE' and select all of the nodes beneath it and press OK.
5.2 You should now see the open AWARE views in the view tray. The "AWARE Alerts" view will show all open FindBugs and compiler alerts.
AWARE allows you to filter alerts that you may not consider important or don't want to be bothered with any more. If you see an alert that you want to remove from the alert view, you can right click the alert and choose Suppress Alert, which sends the alert from the Alerts view to the Supressed Alerts view. You can also unfilter an alert by right-clicking the alert in the Suppressed Alerts view and selecting Unsupress Alert.
Figure 5c (In these images, "Filter" replaces the word "Supress")
If you want to see the line of code that is marked with an alert, you can double click that alert in the Alerts view and AWARE will bring up the line of code the alert references.
When you fix an alert, the alert will disappear from the Alerts view and will be added to the Closed Alerts view.
AWARE also collects information about how you use Eclipse, such as what you are clicking on in Eclipse, which views and perspectives you are using, when you run a command, etc. AWARE does NOT collect any personal information or source code: only your activity. For an example of the information AWARE collects, please click here. If you would like to disable the usage monitoring, simply toggle the Usage Logging button in the Eclipse toolbar to off.
Figure 5.4 AWARE usage logging