FindBugs Creator Proposes JSR-305 Annotations for Software Defect Detection

| by Scott Delap Follow 0 Followers on Sep 01, 2006. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

Bill Pugh, the creator of FindBugs, has submitted JSR-305 Annotations for Software Defect Detection to the Java Community Process.  The JSR would attempt to develop a standard set of annotations that can assist defect detection tools.  The JSR description points out that developers are hesitant to invest in using annotations that aren't widely supported.  Annotations identified as potential candidates for the JSR include:
Nullness annotations (e.g., @NonNull and @CheckForNull). Both FindBugs and IntelliJ already support their own versions of nullness annotations.

Check return value annotation - an annotation that says ignoring the return value of a method is likely incorrect (e.g., String.toLowerCase())

Taint annotations - We want to check for errors such as SQL injection and cross-site scripting (see Detecting Format-String Vulnerabilities with Type Qualifiers, Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner 10th USENIX Security Symposium. Washington, D.C., August 2001 for a discussion of using taint annotations in static analysis).

concurrency - We all know that concurrency is hard and statically detecting concurrency errors is very hard. We can look at the annotations proposed by Java Concurrency In Practice and by the CMU Fluid project as a starting point.

Internationalization annotations, such as @NonNls or @Nls, indicating values that either are or are not natural language strings that need to be localized for different locations. These annotations are currently used by IntelliJ.
The JSR is supported by parties such as Google, Sun, JetBrains, and Doug Lea. In addition to FindBugs and IntelliJ, the description mentions that tools such as Fortify Softwares SCA, Coverity's forthcoming analysis tool, and Netbeans Jackpot could also benefit from standardized defect detection annotations.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you