Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I am looking for suggestions on tools/methods can be used to make sure , in java source code, sensitive information (like user password) is not accidentally been logged/printout .
You may specify some keywords for your critical variables and for their code behaviours.
After that, you need to install findbugs plug-in and you may create a custom bug detector.
Before you publish the app, run findbugs. It checks bugs and find them if exist.
Some examples are here :
http://lifelongprogrammer.blogspot.com.tr/2013/05/extending-findbugs-creating-our.html
http://www.danielschneller.com/2007/04/findbugs-writing-custom-detectors-part.html
http://findbugs.sourceforge.net/
Any other approach to protect your code, you have to obfusticate your code. (Not to printouts or logs, to protect your source code)
Good luck.
The do that you should be used some kind of Static Analysis tool. And check in their rule set.
For sure this kind of functionality is provided by Jtest (that is commercial tool). You can look on the FindBugs or even SonarQube.
For sure the tools will not be perfect and will not detect. The will try to be help full as much as possible.
But to 100% the best is the rule of four eyes. A code review by other developer might help. The Static Analysis tool should be treated as guardians for so called stupid mistake. A stupid mistake can be defined that is obvious when is pointed out. Everyone do them, so event having a review and general awareness in team there is chance to miss something.
From the code point of view, you want to be compartmentalising as much as reasonably possible. In static terms, the area of code that could access the sensitive information should be minimised. More importantly, scope of data should be minimised. In particular, no globals. No even logging. ("But logging is special!" No it isn't.) IIRC, "Growing Object-Oriented Software Guided by Tests" by Freeman and Pryce touches on what they call "auditing" rather static ad hoc loggers.
Everyone tests these days. A relevant testing technique is to use a known value for the sensitive data and mechanically search through files and network communications for that specific sequence.
If the format of the data is well defined, say credit card numbers, then this data can be scrubbed from the text output to log/audit files. It's not something that you would want to in anyway rely upon, but it could just save you.
There are no tools that can possibly automate that.
Instead, you need to have proper procedures in place for things like code reviews, and awareness among your programmers.
Just curious, how do you imagine such a tool working? How would it magically detect that something is sensitive and to what degree, and whether what's being done with it is or is not allowed?
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
The company I work at has a piece of code they would like to rewrite. It uses Java/Java server faces. The problems with it are that it is old and uses depreciated code, was written in an IDE that is no longer available and doesn't work well with netbeans, and that it is kind of sloppy coding in the first place. No one really knows its structure and there is limited documentation.
Before beginning on the rewrite, we would like to find the structure of the old program and get a decent UML diagram. What tools would work the best in this situation? So far we have looked at one called Agilej.
Sorry if this is a little vague, I'm just a lowly intern an haven't been filled in on everything yet =p
You can use JArchitect, a pretty complete java static analysis tool
I'm not giving clickable hyperlinks as you should be able to find them easily through a web search and there may be more than 1 link that is useful for you
Sparx Systems Enterprise Architect has very powerful reverse engineering capabilities. Java (also compiled binary JAR) is in the list of supported languages.
I have used Enterprise Architect's reverse engineering features several years ago to help us understand and design modifications of legacy C++, QT code.
Enterprise Architect was able to automatically retrieve the class model. I then used the raw class model to drag/drop draw several other diagrams including only classes of my interest with level of detail I needed etc.
In the range of other static code analysis tools (e.g. the code flow visualization) I don't know which tool particularly supports Java well enough. Quick Google points e.g. to Coder Gears JArchitect. In the past project I have mentioned we used Doxygen's automatically generated documentation. Part of that were also some automatically generated graphviz dependency diagrams.
To clarify the design and visualize the flow (especially big legacy functions) I have found useful the Rapid Quality Systems Code Rocket flow visualizer
Once you get the basic facts at your hands through the various reverse engineering tools next step would be to go through them, annotate what is the unknown, what is doing what, basically apply some formal code review method (e.g. Fagan inspection or some of its derivatives).
(using evaluation versions of the various tools may be enough if you think ahead what are the required deliverables for your follow up actions. I guess the company is not planing to give you a >0$ budget)
The Agile Modeling site may have some good refactoring tips and some minimal UML mapping guidelines, start e.g. at Agile Legacy System Analysis and Integration Modeling
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
We are a small team of developers working on a common Java/Maven project. We are using different versions of Eclipse, a common Mercurial repository (on Bitbucket) and three different operating systems. Since each developer has his/her personal preferences, we all use different coding styles and code formattings ("else" on the same line/on a different as the previous closing bracket, or using at most 80/100/120 charactes per line because some of use have bigger screens than others, etc.). As a result, when code is commited to the repository, it sometimes appears that there have been changes to a class, even though only the formatting was changed. This makes the real changes hard to trace.
So we were discussing solutions, and probably the best would be, if we would agree on a project standard and from now on, every code in the repo has to comply to this standard. If a collegue checks out code from the repo, a tool would convert it into his/her favourite format and just before committing it is converted back to the repo standard.
I was wondering if there is a tool for formatting code, that
could be run on any operating system
could be easily and extensively configured (such as the Eclipse formatter)
would allow for configurations to be shared
AND could be run, without the developer noticing that it is there.
OPTIONALLY could be run also from the console or as a separate task (eg. from maven)
OPTIONALLY is free
The point about automation is very important: I should easily integrate and ideally not bother the developer by forcing him/her to run a special script or press an extra button on each commit.
What I have done so far:
I added the following line to my .hgrc to create a hook.
[hooks]
precommit = python:.hg/perform_code_formatting.py:perform
and created a file called perform_code_formatting.py
import re,os,sys,mercurial
def perform(repo, **kwargs):
from subprocess import call
call(["ls", "-l"])
Of course, call will eventually replaced by a code formatting tool. But this approach is already flawed, because I am not sure what tool there is, that will run on any operating system and fulfill all the requirements mentioned above.
Tools
beautyj: runs on java, but not enough configuration options
indent/astyle: powerful tools, however, OS dependent
Jindent: not free
eclipse formatter: so far the best option. Could also be run from the console. However, since everybody has a different installation directory, some initial effort has to be made and the script/mercurial configuration has to be done on each working station individually.
My questions
Is there a tool, that fulfills all the requirements I listed? Does anybody have any experience with this "different formatting issue" and has come up with solutions / workflows / policies to deal with it?
Thank you in advance ;)
You can use Jalopy, an open source tool for code formatting. Probably your team can try this.
http://jalopy.sourceforge.net/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
I am currently doing an intership in a company and my task is to reevaluate the tool suite used to translate applications as it has become a problem internally. I've looked everywhere on the web and my conclusion is there is just no proper documented end to end workflow for this type of task, so I am asking the community to help me understand what they have seen in the field.
Our current flow looks like this:
java, properties files and resource bundles in the code
custom made tool to extract keys from code based on classes. bit clunky, as it uses class loading and therefore has many practical constraints
custom made web tool to do translations and handle code revisions
Here are some constraints and improvements we're looking towards:
we'd like for external translators to help us for additional languages our company cannot handle
we would like to add metadata to translation keys, such as validation flags, categorization data and description data, something not handled by properties files
we're going to have external translators and would wish to be able to use standards where possible to properly integrate with their tools
Here's what I've found on the web:
GNU Gettext's plural handling and context messages are nice. However, our existing code is written using keys and would not work with writing plain english messages in the code.
XLIFF provides means to have all the extra metadata we would like to add. However, all existing tools are either incomplete, buggy, or costly. Many of the tools add their own metadata which complicates working with XLIFF.
Pootle pretty much does what our custom made web tool does except fails to work on multiple Git branches.
Weblate, which is similar to Pootle, has the ability to work on multiple Git branches. However, updating a project with many languages and many translations takes time. It fails to meet our needs of continuous development.
So what is your recommended tool suite for internationalization of a complex multi-module java application?
Gettext (.po) is possible by a two stage key: key -> English, English as key. Disambiguation can be done with the original key. The original key can be preserved.
Gettext seems to be more extensively used than XLIFF - but I may be wrong meanwhile.
Web interfaces are fine - as a secondary tool. Translation agencies will complain when offered such a thing.
I cannot stress sufficiently that the delivery of the text is very important, to prevent that every translator has to do extra work. Almost the same text that might be united is such an example. A Translation Memory might give a fuzzy translation, but it is better to do processing by someone dedicated, before delivering things to translate. Also things like "Select from the menu 'Process thumbleweed'" and "Process thumbleweed" could well need a translation responsible person, to have coherent translations. XLIFF might offer more technicalities, but in general I think it is best to let an experienced developer ensure, develop this process. A common glossary of specific terms.
Also being able to have the application switch between showing a specific language and the key "[key]".
How about Tapiji? Not sure if it will meet all your requirements, but it is a time saver. If you are using Eclipse, or can use it, it might be worth a look. From the site:
The implemented editor is based on the Babel Messages Editor Resource-Bundle editor, which considers the whole Resource-Bundle as the object under modification instead of a single property file. Furthermore, a Resource-Bundle view adds rich functionality for browsing resources and directly comparing different languages. In parallel, RCP and RAP based stand-alone applications enable the translation of resources without the need of programming skills.
Weblate indeed is not the fastest tool for import (but there are many improvements in the upcoming 1.6 release), but there are several hints in the documentation how to improve this. Have you tried those?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
I am looking for a simple dynamic call graph logger for Java that you can add in a few lines of code. I know there is an Aspect J solution. Also, I helped Zola develop Glow for C/C++ so I could rewrite a similar tool but I don't want to dig into JVM internals.
Any open source solution out there right now that is stable and better than the AspectJ solution?
The purpose is to use as a companion to unit testing certain portions of the code that you want more information about their behavior.
I think you want to collect a call graph (as opposed to just a set of calls) by any means possible.
One can do with with a static analyzer (if you can get a strong enough one), to collect the potential call graph. A dynamic method collects one at runtime by instrumenting the code. Some folks may specifically want the dynamic one, because they want to see the actual call graph for a specific set of input data.
There are several Java profilers that will collect this information dynamically, including ours. None of the ones that do that are open source, that I know of, but I could be wrong.
Such profilers often work by instrumenting the code (either source or VM code if the language [e.g., Java,C#] has such). How they do it depends on the supplier.
In our case, we use our program transformation tools to transform the source code from its original form, into a form that also collects profiling data.
You can use AspectJ to insert instrumentation to do this, too. [It is worth noting that aspects are just a special case of program transformation]. Of course, there's more work than just instrumenting the code; you have to collect the runtime data efficiently and after execution process to produce the call graph. So its rather a bit of work to do all this but you presumably know that from your Glow experience.
Maybe off-topic, but are you sure you want actually call graph? Somehow I think such a detailed graph will be next to useless in a reasonably sized application. What I find much more useful is a dependency graph between classes, one that is very easy to get as long as you use some kind of dependency injection. I used google guice (and it was actually pretty useful to restructure/keep clean a reasonably sized application).
There is a very nice google-guice-dependency grapher available out-of-the box and for free: http://code.google.com/p/google-guice/wiki/Grapher . I even customized it (extended the Grapher class) to mark different class types with different colors (DAO, controller, API etc.)...
There is instrumentation via the native JVMTI C/C++ native interfaces. Like I said I would like to stay in pure Java.
Java does have a Runtime.getRuntime().traceMethodCalls(), but you need something to consume the output still.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I have recently inherited a program written in Managed C++ from some guy who just retired. After spending some time digging through it, I can honestly say that at least 95% of it belongs on thedailywtf. However, I am now tasked with modifying it and porting it over to a language I'm comfortable with.
The program itself takes in many many parameters (50+) read in from a file and performs a series of calculations and spits out a report. Once I'm done plowing my way through pages of 3 letter variables (many of them reused for totally unrelated purposes), I need to come up with a way to test my code to make sure it comes up with the same answers as the previous code.
This is most likely wishful thinking, but are there any automated code analysis tools out there that can aid me in this task in any way or form?
I will be porting it over to Java.
I need to come up with a way to test
my code to make sure it comes up with
the same answers as the previous code.
Unit Testing
Since you mentioned that it is about a program that takes parameters in a file and outputs a report, you could generate a few inputs that give sufficient coverage to the portions you want to unit test against the output from the old code.
If something breaks don't forget there is also a chance you have discovered a bug in the old code.
http://www.junit.org/
Progressive Port
I'd go for porting it piece by piece, I kind of feel it will fit your problem since in a report you can grab specific fields and ignore those that you have not ported yet (assuming to output one field/calculation you do not need the whole program to be ported) and verify it against the correct value from the old code (or other correct source in case of bugs in the old code).
I think you should start off writing tests to ensure that the ported code does not break any of the existing report's behavior.
As for automated code analysis tools, the ones most likely to aid you in this area are the data flow analysis tools, which can hypothetically model the flow of data from the file into the variables and out to the report. Unfortunately, a search for such tools resulted in a failure a few weeks back, for me. You might want to have hand-drawn DFDs in places, just to make sure you don't trip over something. Graphviz can help in this area.
It might help copying over the functionality over to Java (I know this sounds perverse), but you could refactor the code carefully under the watchful eyes of PMD, FindBugs and similar code quality assurance tools in Java.
EDIT: I had forgotten the part where in tools of a certain category could be of aid - these are the code slicing tools in the Java world, and I must admit that I haven't used them so far. Here's a list that might help:
JSlice
Other related tools listed on the JSlice page.
I asked a somewhat related question some time ago that makes me think of a possible approach: Is there a Findbugs and / or PMD equivalent for C/C++?
What occurs to me is that, if this code is so janky, perhaps it would be a good idea to spend some time to try to repair / refactor it in place. Obviously, if you're headed to Java, it's a hard thing to convince yourself to spend time on improving C++ code that has a short lifespan. That said, if you replace some of the obviously stupid portions with improved code, it'll likely be shorter, tighter, more obviously correct and a whole lot easier to port and to analyze as you try to convince yourself that the new code is functionally equivalent to the old code.
The most useful tools suggested in answers to my question were Splint and Cppcheck.
There was another broader question asked some time ago that may contribute related ideas: What open source C++ static analysis tools are available?
Disclaimer: I've never had to do anything like this before.
Couldn't you first use a C++ to Java converter (a quick google search led me to a product which claims to be able to do that at a very reasonable price if it does in fact work C++ to Java Converter).
Then, create your unit tests and begin refactoring.