FindBugs Creator Proposes JSR-305 Annotations for Software Defect Detection
Nullness annotations (e.g., @NonNull and @CheckForNull). Both FindBugs and IntelliJ already support their own versions of nullness annotations.The JSR is supported by parties such as Google, Sun, JetBrains, and Doug Lea. In addition to FindBugs and IntelliJ, the description mentions that tools such as Fortify Softwares SCA, Coverity's forthcoming analysis tool, and Netbeans Jackpot could also benefit from standardized defect detection annotations.
Check return value annotation - an annotation that says ignoring the return value of a method is likely incorrect (e.g., String.toLowerCase())
Taint annotations - We want to check for errors such as SQL injection and cross-site scripting (see Detecting Format-String Vulnerabilities with Type Qualifiers, Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner 10th USENIX Security Symposium. Washington, D.C., August 2001 for a discussion of using taint annotations in static analysis).
concurrency - We all know that concurrency is hard and statically detecting concurrency errors is very hard. We can look at the annotations proposed by Java Concurrency In Practice and by the CMU Fluid project as a starting point.
Internationalization annotations, such as @NonNls or @Nls, indicating values that either are or are not natural language strings that need to be localized for different locations. These annotations are currently used by IntelliJ.
Sarah Howe Jul 06, 2015