Java News from Thursday, August 31, 2006

Bill Pugh of FindBugs fame has submitted JSR-305, Annotations for Software Defect Detection to the Java Community Process. According to the JSR,

This JSR would attempt to develop a standard set of annotations that can assist defect detection tools. Such annotations have been found to be useful in tools such as FindBugs and IntelliJ, but developers are hesitant to invest time in providing annotations if they don't know that their annotations will be portable across tools.

These annotations will be applied using the existing annotations capabilities introduced in Java 5, and may also utilize any additional annotation capabilities introduced in Java SE 7.

Some annotations already identified as potential candidates include:

Nullness annotations (e.g., @NonNull and @CheckForNull). Both FindBugs and IntelliJ already support their own versions of nullness annotations.

Check return value annotation - an annotation that says ignoring the return value of a method is likely incorrect (e.g., String.toLowerCase())

Taint annotations - We want to check for errors such as SQL injection and cross-site scripting (see Detecting Format-String Vulnerabilities with Type Qualifiers, Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner 10th USENIX Security Symposium. Washington, D.C., August 2001 for a discussion of using taint annotations in static analysis).

concurrency - We all know that concurrency is hard and statically detecting concurrency errors is very hard. We can look at the annotations proposed by Java Concurrency In Practice and by the CMU Fluid project as a starting point.

Internationalization annotations, such as @NonNls or @Nls, indicating values that either are or are not natural language strings that need to be localized for different locations. These annotations are currently used by IntelliJ.

Many of these annotations could be much more useful if annotations could be supplied in places where that can't currently be applied (e.g., to generic type parameters), and if default annotations could be supplied (e.g., marking all methods in a class or package as having nonnull parameters unless otherwise specifically so annotated).

In addition to FindBugs and IntelliJ, other tools could benifit from such annotations, such as Fortify Software's SCA, Coverity's forthcoming Java analysis tool, the Netbeans Jackpot tool, and IBM's SAFE tool.

We would try to develop annotations that could be usefully applied with a low annotation burden (e.g., making only a few annotations per class), although more intensive annotations might provide additional value.

WBEM Solutions, Inc has posted the public review draft of JSR-48 WBEM Services Specification to the Java Community Process (JCP). According to the draft:

Web Based Enterprise Management (WBEM) is a set of specifications that unify the management of enterprise computing environments. WBEM provides the ability for the industry to deliver a well-integrated set of standard-based management tools leveraging the emerging Web technologies. The Distributed Management Task Force (DMTF) has developed a core set of standards that make up WBEM.

This specification along with the Javadoc defines the JavaTM WBEM API This allows any JavaTM VM to become WBEM enabled as well as allow any JavaTM VM to manage any WBEM (SMI, SMASH, ...) enabled managed elements.

Sun has posted the fifth maintenance review change log for JSR 3: Java Management Extensions. The single proposed change is to clarify how MBean runtime exceptions are handled. Comments are due by September 26.