Java News from Wednesday, February 23, 2005

Apple's posted Security Update 2005-002 to patch a vulnerability in Java 1.4.2 that could allow an untrusted applet to elevate privileges and execute arbitrary code. All users should upgrade.


The Legion of the Bouncy Castle has released version 1.27 of the Bouncy Castle Java Cryptography API, an open source, clean-room implementation of the Java Cryptography Extension (JCE). It supports X.509 certificates, PKCS12, S/MIME, CMS, PKCS7, and lots of other juicy acronyms. It also includes its own light-weight crypto API that works in Java 1.0 and later, and does not depend on the JCE. Version 1.27 supports the PSS and OAEP classes in JDK 1.5 and adds support for SHA-256, SHA-384, and SHA-512 to the CMS implementation. The OpenPGP API also disables the quick check for public key encrypted messages in line with the latest security advisory from PGP Corporation. Download it while it's still legal.


Andrei Kouznetsov has released Unified I/O 2.22, an open source (BSD license) class library that "allows random access to any data or stream (even over HTTP), and gives a clear difference between read only and read/write access." This release adds BitInputStream and BitOutputStream classes for bitwise reading and writing and a Base64 encoder and decoder based on these classes.


Cenqua has released Clover 1.3.5, a $250 payware unit test coverage tool. 1.3.5 is a bug fix release.

Clover modifies the source code to enable it to follow which statements are executed when, and keeps a running count of how many times each statement is executed during the test suite. Any statement that executes zero times is not being tested. Unlike Jester, Clover only tests whether the tests execute each statement and follow each branch. (It occasionally misses branches on the edges of >= or <=.) It does not test whether the tests correctly detect bugs. On the other hand, it runs orders of magnitude faster than a tool like Jester does. It's easy to use Clover several times a day. Indeed you can use it after each change to the test suite. By contrast, a full Jester run can take several days to complete. Ideally you'd want to use both a tool like Jester and a tool like Clover since they do different things.

Clover has been a major help in developing XOM. It has located numerous bugs in XOM over the last year, and is largely responsible for the completeness of XOM's test suite. Clover has also helped to optimize XOM for both speed and size by finding dead, unreachable code I could cut out. As usual, I tested the new release on the current XOM code base, and it didn't reveal anything too astonishing—just a few untest lines in some of the newer parts of the code base—but I've been keeping a fairly close eye on the test coverage as I develop so this isn't too surprising.

Clover integrates with Ant, NetBeans, Eclipse, IntelliJ IDEA, and Oracle JDeveloper 10g. Clover can generate test coverage reports in XML, HTML, PDF, or via a Swing Viewer. Java 1.2 or later is required.


The Big Faceless Organization has released the Big Faceless PDF Library 2.3.5, a $700 payware (more if you want support) Java class library for creating PDF documents. The $1300 Extended Edition adds the AcroForms support, digital signatures, and the ability to import and edit and existing PDF documents. Version 2.3.5 fixes bugs. Java 1.2 or later is required.


Websina has released BugZero 3.9.10, a $1299 payware (+$300 for maintenance) Web-based bug tracking system that supports multiple projects, group-based access, automatic bug assignment, file attachment, email notification, and metric reports. Bug Zero is written in Java and can run on top of various backend databases including MySQL. 3.9.10 fixes bugs and allows disabling of automatic assignment.