JetBrains Launches Self-Hosted Version of Qodana

Software development tools maker JetBrains has announced the availability of a self-hosted version of its Qodana code quality platform. An extension of the cloud version launched last summer, this release is also based on the static code analysis engine of JetBrains' IDEs. The platform supports native integration with both those IDEs and VS Code, allowing developers to build quality gates in any CI environment, which helps to enforce coding standards enterprise-wide.

To state the obvious, code quality platforms are tools designed to evaluate the quality of a developer's code. They provide a general assessment of the effectiveness, reliability, and maintainability of the code, as well as how well it adheres to established coding standards. High-quality code is more readable, comprehensible, and modifiable, which reduces the likelihood of errors and enhances its adaptability to changes.

With Qodana, developers can identify issues as a part of their CI/CD pipelines and resolve them from within their IDEs, ensuring the code aligns with established quality standards. This is a time-saving feature meant to enhance overall code quality and reduce the risk of security failures and production issues while accelerating the delivery of new functionality.

Since the company launched the cloud version of Qodana last year, JetBrains has been bombarded with requests for a self-hosted version, Valerie Kuzmina, Product Marketing Manager in JetBrains Qodana and IDE Services group, said in a blog post

"With Qodana, we are on a mission to create an exceptional experience for development teams, making the entire journey – from setup to result analysis and fixes – easier and more enjoyable, increasing the adoption of server-side analysis," Kuzmina wrote.

The Qodana platform was developed to address a number of factors that contribute to the low adoption of static code analysis tools among developers, Kuzmina explained, which poses risks in product quality. Server-side analysis results are either ignored or, at best, grudgingly tolerated, she wrote because of the number of false positives, conflicts with IDE inspections , misaligned code quality guidelines, convoluted setups, an inability to fix issues quickly. And outdated UIs—all leading to what she called a "suboptimal developer experience."

"Following successful Beta tests with some of our clients," she wrote, "we're now launching the first release of Qodana Self-Hosted, allowing you to manage, maintain, and upgrade Qodana entirely on your end."

Currently, Qodana Self-Hosted supports Amazon Web Services (AWS). Additional hosting options will be added in future versions, the company says. If you're interested, you can request a demo here.

Prague-based JetBrains makes a lineup of more than 30 intelligent software development tools, including the popular IntelliJ IDEA IDE for Java developers and PyCharm for Python devs. The company is also the creator of Kotlin, a popular cross-platform, statically typed, general-purpose high-level programming language with type inference. The company's tools are used by more than 11.4 million professionals and 88 of the Fortune Global Top 100 companies.

Posted by John K. Waters on July 10, 20240 comments

Qt Group and LG Electronics Team Up to Revolutionize In-Car Entertainment

When I hear the word "infotainment," I automatically think of TV shows like "Animal Planet" or "The Daily Show." But it's also a term of art in the auto industry referring to in-car systems that combine entertainment, such as radio and music, with driving information, such as navigation. Modern in-vehicle infotainment systems connect with smart automotive technologies, such as Advanced Driver Assistance Systems (ADAS) and Vehicle-to-Everything (V2X) technology, which use sensors, cameras, and wireless connectivity to allow cars to connect to and communicate with their drivers and surroundings.

The entire automotive industry is developing technologies to enable better connectivity solutions, improve vehicle safety, and enhance the "in-vehicle user-experience," so the announcement that Qt Group and LG Electronics (LG) are collaborating to embed the Qt software framework within LG’s webOS-based in-vehicle entertainment platform, ACP, was not surprising. This partnership aims to equip automotive OEM developers and designers with the tools needed to create cutting-edge, immersive content-streaming services for vehicles.

This new initiative leverages Qt’s existing support for LG’s highly customizable, open-source webOS, which has been a staple in consumer electronics like smart TVs, signage, smart monitors, and home appliances. Historically, LG has utilized the Qt framework to develop user-friendly interfaces and intuitive user experiences. Now, the focus shifts to LG’s ACP, a platform specifically designed for enhancing the in-car content-streaming experience.

The collaboration with Qt is set to play a pivotal role in the continued evolution of this automotive content platform as it is integrated into more brands’ infotainment systems. Qt is a cross-platform application development framework for desktop, embedded and mobile. Its robust out-of-the-box features accelerate development processes, offering faster boot times, enhanced performance, and efficient memory usage, thus ensuring reliable and powerful capabilities.

"The development of advanced software is crucial for enhancing in-vehicle experiences, and the partnership between LG and Qt will increase our capabilities in this all-important area of mobility innovation," said Sang-yong Lee, senior VP of R&D at LG, in a statement. "LG will continue to collaborate with innovative partners like Qt to create immersive in-cabin experiences that meet the diverse demands of automakers and their customers."

This announcement coincides with new market research projections, predicting that the global infotainment market will reach USD 35.4 billion by 2030. More broadly, software-defined vehicles are expected to generate more than $650 billion in value for the auto industry by the same year. To support this growth, Qt has recently expanded access to its design and development tools for automotive brands such as General Motors and Mercedes-Benz. Earlier in 2024, Qt’s human-machine interface development platform was also added to the AWS Marketplace.

"LG has been a trusted Qt partner and leader in infotainment innovation for years, so we’re excited to help them enhance immersive in-car experiences," said Juha Varelius, CEO of Qt Group. "There’s a big ecosystem of developers making web-based applications for cars, but with Qt integrated into LG’s ACP powered by webOS, they can more easily build and run these applications natively within the OS. Most automotive players already have Qt-based assets in their software, and this partnership marks another significant milestone for us in the industry."

Helsinki-based Qt Group’s suite of tools for designing, developing, and ensuring product quality aims to foster closer alignment between developers and designers. These tools were created to streamline workflows, enabling concurrent work within the same framework, and are particularly suited for cross-platform development, especially for low-powered and embedded devices.

This partnership between Qt and LG represents a significant step forward in the infotainment space, promising to deliver more innovative and engaging experiences for drivers and passengers alike. But the real message is that developers will have to tools they need to leverage their skillsets as demand increases for so-called modern in-car experiences.

Posted by John K. Waters on June 26, 20240 comments

Eclipse Foundation Announces New Release of Eclipse Temurin Java SE Runtime

The folks at the Eclipse Foundation, in collaboration with the Adoptium Working Group, recently unveiled the latest release of Eclipse Temurin, the working group's OpenJDK distribution. This is the largest release to date; it with support for 54 version/platform combinations and five major OpenJDK versions, highlighting a commitment to diverse and comprehensive builds across Linux, Mac, Windows, and various architectures, including x64, ARM, and RISC-V.

"The incredible growth of Eclipse Temurin reflects a strong demand among developers for secure, high-quality, and community-driven open-source Java runtimes," said Thabang Mashologu, vice president of Community and Outreach for the Eclipse Foundation, in a statement. "The Adoptium Working Group’s efforts have been instrumental in delivering enterprise-ready runtime binaries and expanding the potential use cases for open-source Java. Eclipse Temurin is one of the first open-source Java distributions to support RISC-V, introducing new opportunities for Java in Industrial IoT and beyond."

The Eclipse Foundation is one of the world’s largest open-source software foundations. The Adoptium Working Group, which is the successor to AdoptOpenJDK, promotes and supports high-quality, TCK certified runtimes and associated technology for use across the Java ecosystem. Since it was established back in 2021, Adoptium has become the leading provider of high-quality OpenJDK-based binaries.

The list of key updates and developments in this Temurin release includes:

Unprecedented Growth and Adoption: "Growth" was a key word in this announcement. Eclipse Temurin is currently the fastest-growing open-source Java SE runtime, with more than 23 million downloads per month and more than 380 million downloads to date. According to a recent report by New Relic (New Relic, State of the Java Ecosystem, April 2024), Temurin has experienced 50% year-over-year growth, now representing 18% of the Java market as the second most popular JDK vendor.

Security Enhancements: Eclipse Temurin is pioneering software supply chain security practices, with nominated platform builds independently verified and inclusive of a comprehensive software bill of materials. The Foundation published a case study that underscores this commitment.

RISC-V Support: The new release supports RISC-V microprocessors, expanding its applications to embedded technologies, IoT, machine learning, automotive software, and high-performance computing.

The stats cited in that New Relic study are well worth noting:

In 2020, Oracle was the most popular JDK vendor, comprising roughly 75% of the Java market. There was a noticeable movement away from Oracle binaries after the more restrictive licensing of its JDK 11 distribution (before the return to a more open stance with Java 17), and we’ve seen a steady decline year-over-year (YoY) ever since then. While Oracle retained the top spot in 2022 (34%), it slipped to 29% in 2023, and it’s now at 21%—which represents a 28% decrease in one year.

The use of Amazon increased to 31% of the market in 2023 (up from 2.2% in 2020 and 22% in 2022), but has dropped to 18% in 2024, which represents a 43% decrease YoY.

The rising star this year is Eclipse Adoptium, adoption of which rose 50% YoY from 12% to 18%. Because Eclipse Adoptium is community-managed, this JDK tends to be updated more frequently than the Oracle and Amazon JDKs.

Eclipse Temurin is currently available for a wide range of platforms and Java SE versions. Multiple commercial support options are available for Temurin, with enterprise-grade support provided by members of the Adoptium Working Group, including Azul Systems, IBM, Open Elements, and Red Hat.

Posted by John K. Waters on June 4, 20240 comments

Java 22 Packs a Punch with 12 JEPs and Support for GenAI

Last month, Oracle dropped Java 22, adding a fresh batch of performance, stability, and security features to the venerable programming platform. This latest iteration introduces 12 JDK Enhancement Proposals (JEPs) aimed at refining everything from the Java language to its array of development tools. Though not a long-term support (LTS) release (the next LTS is Java 23), this release is a significant upgrade that includes new features focused on better enabling the use of Java for building AI applications.

Under the hood, Oracle is delivering language improvements from OpenJDK Project Amber, enhancements from Project Panama, features related to Project Loom, core libraries and tools capabilities, and performance updates.

"The new enhancements in Java 22 enable more developers to quickly and easily build and deliver feature-rich, scalable, and secure applications to help organizations across the globe grow their businesses," said Georges Saab, senior vice president in Oracle's Java Platform group and chair of the OpenJDK governing board, in a statement. "By delivering enhancements that streamline application development and extend Java's reach to make it accessible to developers of all proficiency levels, Java 22 will help drive the creation of a wide range of new applications and services for organizations and developers alike."

Among the stand-out features in this release, noted Sharat Chander, senior director of product management for the Java Platform at Oracle, is JEP 463, " Implicitly Declared Classes and Instance Main Methods," which is going to provide a kind of on-ramp for the next generation of developers to become familiar with Java, and eventually, active users.

"I'm very excited about  JEP 463," Chander told me. "It sort of welcomes a whole new generation of developers that might think Java is outdated. Of course, it's far from [that], based on all the innovation that have been coming since we started this six-month release cadence."

"The original founders of this entire concept and technology realized that you have to build a user base and a community to have something that's active," he added, "and you see a lot of modern languages, platforms, and solutions that have now realized that the secret sauce is to emulate what Java has done. For us, this is paramount to [Java's] success."

Arnal Dayaratna, research vice president in IDC's software development group, underscored Java's "versatility and comprehensive toolset," which enables it to support the development of production-grade, mission-critical applications at scale. This "positions it as a key enabling technology for innovative use cases such as generative AI."

"After nearly three decades, Java's ability to support complex development tasks that span a wide range of use cases makes the platform as relevant as it has ever been," Dayaratna said in a statement. "

Java 22 includes a number of features in preview, which Saab told me reflects the benefits of the six-month release cadence Oracle continues to maintain.

"In the old days, it was always a problem getting feedback on features," he said. "We would work on something and have early access builds, which a few passionate people would download and try. But people have day jobs! Most just weren't going to download something, try it, and give feedback. And if they did, it was probably too late to do anything about it. Now, the whole intent of the preview feature is put it in something that people are downloading anyway and make it super easy to try it and give us feedback on it."

The list of updates delivered in Java 22 includes:

  • JEP 447: Statements before super(…) (Preview): Gives developers the freedom to express the behavior of constructors. By allowing statements that do not reference the instance being created to appear before an explicit constructor invocation, this feature enables a more natural placement of logic that needs to be factored into auxiliary static methods, auxiliary intermediate constructors, or constructor arguments. It also preserves the existing assurance that constructors run in top-down order during class instantiation, helping ensure that code in a subclass constructor cannot interfere with superclass instantiation. In addition, this feature does not require any changes to the Java Virtual Machine (JVM) and relies only on the current ability of the JVM to verify and execute code that appears before explicit constructor invocations within constructors.
  • JEP 456: Unnamed Variables & Patterns: Helps improve developer productivity by enhancing the Java language with unnamed variables and patterns, which can be used when variable declarations or nested patterns are required but never used. This reduces opportunities for error, improves the readability of record patterns, and increases the maintainability of all code.
  • JEP 459: String Templates (Second Preview): Simplifies the development of Java programs by making it easy to express strings that include values computed at run time, while also improving the security of programs that compose strings from user-provided values and pass them to other systems. Additionally, the readability of expressions mixed with text is enhanced, and non-string values computed from literal text and embedded expressions can be created without having to transit through an intermediate string representation.
  • JEP 463: Implicitly Declared Classes and Instance Main Methods (Second Preview): Helps accelerate learning by offering a smooth on-ramp to Java programming to enable students to write their first programs without needing to understand language features designed for large programs. With this feature, educators can introduce concepts in a gradual manner and students can write streamlined declarations for single-class programs and seamlessly expand their programs to use more advanced features as their skills grow.

Project Loom Features

  • JEP 462: Structured Concurrency (Second Preview): Helps developers streamline error handling and cancellation and enhance observability by introducing an API for structured concurrency. This helps promote a style of concurrent programming that can eliminate common risks arising from cancellation and shutdown – such as thread leaks and cancellation delays – and improves the observability of concurrent code.
  • JEP 464: Scoped Values (Second Preview): Helps increase ease-of-use, comprehensibility, performance, and robustness of developers' projects by enabling the sharing of immutable data within and across threads.

Project Panama Features

  • JEP 454: Foreign Function & Memory API: Increases ease-of-use, flexibility, safety, and performance for developers by introducing an API to enable Java programs to interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions such as code outside the Java Virtual Machine, and by safely accessing foreign memory (i.e., memory not managed by the JVM), the new API allows Java programs to call native libraries and process native data without requiring the Java Native Interface.
  • JEP 460: Vector API (Seventh Incubator): Enables developers to achieve performance superior to equivalent scalar computations by introducing an API to express vector computations that reliably compile at runtime to vector instructions on supported CPU architectures.  

Core Libraries & Tools Features

  • JEP 457: Class-File API (Preview): Helps developers improve productivity by providing a standard API for parsing, generating, and transforming Java class files.
  • JEP 458: Launch Multi-File Source-Code Programs: Enables developers to choose whether and when to configure a build tool by enhancing the Java application launcher to enable it to run a program supplied as multiple files of Java source code.
  • JEP 461: Stream Gatherers (Preview): Helps developers improve productivity by enhancing the Stream API to support custom intermediate operations, which will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations. By making stream pipelines more flexible and expressive and allowing custom intermediate operations to manipulate streams of infinite size, this feature enables developers to become more efficient in reading, writing, and maintaining Java code.

Performance Updates

  • JEP 423: Region Pinning for G1: Helps reduce latency by allowing some garbage collection to happen during some native library calls that would have otherwise needed to pause the collector. This is achieved by tracking which objects need to be blocked during these native library calls and "pinning" just the regions that contain these objects. This allows garbage collection to continue normally in unpinned regions, even during what would have otherwise been a blocking native library call.


Posted by John K. Waters on April 10, 20240 comments

A Prompt by Any Other Name: IBM's Watsonx Gets a Generative AI Enhancement

When I first began using the term "prompt engineering" last year, I thought the eye rolling would knock the planet off its axis. I got a similar reaction a dozen years earlier when I proposed writing a book on "social media" to an east coast publisher. And don't get me started on the initial feedback on "the cloud."

Technology nomenclature is a writhing beast, and prompt engineering hit the zeitgeist like a breaching humpback soaking eager whale watchers. This discipline, essentially undifferentiated before the precipitous rise of ChatGPT and other advanced machine learning large language models (LLMs) we're calling "AI," is now commanding a salary range of between $250k and $375k USD, according to Forbes

All of which is a slightly self-aggrandizing way of getting to the news that IBM is set to integrate a prompt tuner into a component of its watsonx enterprise AI and data platform.

Big Blue created the aptly named "Tuning Studio" to help users write better prompts for generative AI. It will be included in the component of the platform. As the name implies, organizations will be able to use it to "tune" their foundation models with labeled data for better performance and accuracy.

According to the HR software provider Workable, a prompt engineer specializes in designing, developing and refining AI-generated text prompts, optimizing prompt performance, and improving the AI prompt generation process for a range of applications. (Exactly how "engineer" got tacked onto the job of creating input instructions for genAI engines is beyond me. Like I said, writhing beast.)

IBM's watsonx is an enterprise-focused AI platform the company distinguishes from the generative AI used for "entertainment," such as writing song lyrics or seeing how a version of your wedding vows would sound if written by Hunter S. Thompson. The company debuted the platform in July of this year with three components:

  • This new studio for foundation models, generative AI and machine learning can help organizations train, validate, tune, and deploy foundation and machine learning models.
  • This is for scaling AI workloads, for all data, anywhere with a fit-for-purpose data store built on an open lakehouse architecture.
  • watsonx.governance: This enables responsibility, transparency and explainability in data and AI workflows, helping organizations to direct, manage and monitor its AI activities.

The component will get Tuning Studio in the third quarter of this year, the company says. The other two components of the platform will also receive some upgrades:

  • Planned generative AI capabilities in will help users discover, augment, visualize and refine data for AI through a self-service experience powered by a conversational, natural language interface. The company plans to issue a tech preview in the fourth quarter of this year. It also plans to integrate a vector database capability into to support retrieval augmented generation use cases, again in a tech preview in the fourth quarter.
  • watsonx.governance: Model risk governance for generative AI: This is yet another tech preview, in which clients can explore capabilities for automated collection and documentation of foundation model details and model risk governance capabilities. IBM said these help stakeholders view relevant metrics in dashboards of their enterprise-wide AI workflows with approvals, so humans are engaged at the right times.

IBM is also enhancing the watsonx platform with some AI assistants to help users with things like application modernization, customer care, and human resources. And the company plans to embed tech across its hybrid cloud software and infrastructure products.

Is prompt engineering a "game-changing skill," as some feverish tech reporters have suggested, or will it fizzle as more specialty tools like Tuning Studio emerge? I suspect that both are true... sort of. Generative AI is already changing the way developers work. GitHub Copilot and Amazon's CodeWhisperer are just two examples of a type of AI-supported coding assistant that is certain to become ubiquitous. And the ability to develop and refine AI-generated text for modern applications and systems is likely to find its way into a lot of developer toolboxes.

Posted by John K. Waters on October 9, 20230 comments

Oracle JDK 21 LTS Release: More Features from Loom, Panama, and Generational ZGC

Java 21 has arrived, and with it the latest implementation of Oracle's Java Development Kit (JDK). Oracle JDK 21 is a long-term support release (LTS) focused on serious performance improvements, stability enhancements, and security upgrades.

As an LTS release, JDK 21 will receive eight years of support from Oracle. The company also announced that it will provide support for Java 11 through "at least" January 2032. The eight-year extension was a response to "customer feedback in the Java ecosystem," said Sharat Chander, Director of Java SE Product Management at Oracle, in a blog post.

This release implements capabilities from four ongoing OpenJDK efforts, including Project Amber (String Templates, Record Patterns, Pattern Matching for Switch, Unnamed Patterns and Variables, and Unnamed Classes and Instance Main Methods); Project Panama (Foreign Function & Memory API and Vector API); Project Loom (Virtual Threads, Scoped Values, and Structured Concurrency); and Generational ZGC (improved app performance by extending Z Garbage Collection). The release also comes with maintenance and deprecation features (Deprecate the 32-bit x86 Port for Removal, and Prepare to Disallow the Dynamic Loading of Agents).

This is the 12th Feature Release delivered through the six-month release cadence proposed by Mark Reinhold, chief architect of Oracle’s Java Platform Group, back in 2017. " This level of predictability allows developers to easily manage their adoption of innovation thanks to a steady stream of expected improvements," Chander noted in his post.

Oracle announced the release at the Oracle Cloud World  conference in Las Vegas.

"Java continues to be the language and platform of choice for the development of robust, scalable, and secure applications used by organizations and millions of individuals around the world," said Georges Saab, senior vice president of Oracle Java Platform and chair of the OpenJDK governing board, in a statement. "The new enhancements in Java 21 enable developers to build better applications even faster than before. In addition, commercial support will be available for at least eight years to enable customers to migrate at their own pace."

In virtually all of its announcements, blog posts, and press releases, Oracle calls Java "the world’s number one programming language and development platform." And there's a reason for that, according to Stephen O’Grady, principal analyst and co-founder of the developer-focused analyst firm RedMonk.

"Despite so many languages that are in circulation, Java is still everywhere today," O'Grady said in a statement. "As the world evolves, Java’s ability to adapt will help it continue to play a key role in offering value to developers."

This release implements 15 JEPs (JDK Enhancement Proposals), which, as most ADTmag readers know, are similar to JSRs (Java Specification Requests), the formal spec requests of the Java Community Process (JSR). JEPs allow OpenJDK committers contributing to the free and open-source implementation of the Java Platform, Standard Edition (Java SE), to work more informally. As Oracle puts it, "The Java 21 release is the result of extensive collaboration between Oracle engineers and other members of the worldwide Java developer community via OpenJDK and the Java Community Process."

The following is available on Oracle's website, but I'm listing what I consider to be the most significant JEPs in this release here for our readers' convenience:

Project Loom Features

  • JEP 444: Virtual Threads: Significantly streamlines the process of writing, maintaining, and observing high-throughput, concurrent applications by introducing lightweight virtual threads to the Java Platform. By enabling developers to easily troubleshoot, debug, and profile concurrent applications and scale them with existing JDK tools and techniques, virtual threads help accelerate application development.
  • JEP 446: Scoped Values (Preview): Enables the sharing of immutable data within and across threads. This helps increase the ease-of-use, comprehensibility, robustness, and performance of developers’ projects.
  • JEP 453: Structured Concurrency (Preview): Simplifies concurrent programming by introducing an API for structured concurrency, which helps promote a style of concurrent programming that can eliminate common risks arising from cancellation and shutdown – such as thread leaks and cancellation delays – and improves the observability of concurrent code. This helps developers streamline error handling and cancellation, improve reliability, and enhance observability.

Performance Updates

  • JEP 439: Generational ZGC: Improves application performance by extending the Z Garbage Collector (ZGC) to maintain separate generations for young and old objects. Generational ZGC helps improve developer productivity by lowering the overhead of required heap memory and garbage collection CPU for applications, as well as reducing the risks of allocation stalls.

Language Updates and Improvements

  • JEP 430: String Templates (Preview): Simplifies the development of Java programs by making it easy to express strings that include values computed at run time, and improves the security of programs that compose strings from user-provided values and pass them to other systems. In addition, the readability of expressions that mix text and expressions is enhanced, and non-string values computed from literal text and embedded expressions can be created without having to transit through an intermediate string representation. This helps increase developer productivity by making the Java language more readable, writable, and maintainable.
  • JEP 440: Record Patterns (Third Preview): Enhances the Java language by extending pattern matching to de-structure instances of record classes, as well as enabling the addition of nested patterns. This enables developers to extend pattern matching to more sophisticated and composable data queries, which helps increase productivity.
  • JEP 441: Pattern Matching for Switch: Expands the expressiveness and applicability of switch expressions and statements by allowing patterns to appear in case labels. In addition, the safety of switch statements is increased by requiring that pattern switch statements cover all possible input values, and all existing switch expressions and statements can continue to be compiled with no changes and executed with identical semantics. This helps developers streamline and increase the reliability of their projects by making the Java language more semantic so that complex data-oriented queries can be expressed concisely and safely.
  • JEP 443: Unnamed Patterns and Variables (Preview): Enhances the Java language by enabling unnamed patterns to match a record component without stating the component's name or type, as well as unnamed variables that can be initialized but not used. This helps simplify the development process by increasing the readability of record patterns and improving the maintainability of all code.
  • JEP 445: Unnamed Classes and Instance Main Methods (Preview): Helps simplify and improve the accessibility of the Java language so that educators can introduce programming concepts in a gradual manner. By avoiding the introduction of a separate beginner’s dialect of Java and a separate beginner’s toolchain, student programs can be compiled and run with the same tools that compile and run any Java program—helping students write basic programs in a concise manner and grow their code gracefully as their skills increase. This helps improve student developer productivity by enabling them to write their first programs without needing to understand language features designed for large programs.

Project Panama Preview Features

  • JEP 442: Foreign Function & Memory API (Third Preview): Introduces an API to enable Java programs to interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the Java Virtual Machine [JVM]), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the new API enables Java programs to call native libraries and process native data without requiring the Java Native Interface. This increases ease-of-use, flexibility, performance, and safety for developers.
  • JEP 448: Vector API (Sixth Incubator): Introduces an API to express vector computations that reliably compile at runtime to vector instructions on supported CPU architectures. This helps developers improve the performance of their projects by providing them with access to an API that is capable of clearly and concisely expressing a wide range of vector computations.

In addition to the new enhancements, Java 21 is supported by Java Management Service (JMS), an Oracle Cloud Infrastructure (OCI) native service, which was created to provide a unified console and dashboard to help organizations manage Java runtimes and applications on-premises or on any cloud.

And it's also worth noting that Oracle is extending., it's official site for Java developers, to include the Java Playground, an online sandbox designed to allows users to type and run small Java code snippets without the need for a local runtime or IDE. Developers can try out new features from Java 21 on the Playground immediately, the company said, all from a browser powered by Oracle Cloud Infrastructure (OCI).

Posted by John K. Waters on September 27, 20230 comments

Waratek Adds Log4J Scanner and API Security to its Java Security Platform

The Java security specialists at Dublin-based Waratek have released a new Log4J Vulnerability Scanner and added API security to their Java Security Platform, the company announced recently.

The upgrades were aimed at providing users of the platform, which is billed as a turnkey engine for enterprise-grade application and API security, with the ability to scale strategic risk mitigation in the enterprise. It's a combination designed to provide protection against bytecode and serialization vulnerabilities, classpath manipulation, and sandbox escapes that are unique to the Java Virtual Machine (JVM). The scanner was designed to give users an in-depth view of any remaining issues in their IT systems.

We first reported on the vulnerability in the Apache Logging Service at the end of 2021. It's a critical-remote code execution (RCE) vulnerability (CVE-2021-44228) in the Apache Software Foundation's Log4J, a widely used open-source Java logging library. The vulnerability, known as "Log4Shell," affects Log4J2 versions up to and including 2.14.1. "Affects." Present tense. Nearly two years after it was first discovered, the damned thing is still affecting millions of systems.

Waratek's scanner was designed to make it simple to quickly scan all applications for Log4Shell vulnerabilities, and then send out non-invasive payloads to a company's libraries, automatically building a table of remaining instances of Log4J and where to find them.

"In 2022, we were the first company that released a Log4J patch, even faster than Oracle," said Waratek CEO Doug Ennis, in a statement. "Today, researchers warn that the infamous Log4J vulnerability is still present in far too many systems worldwide, and that attackers will be successfully exploiting it for years. With 80 percent of Log4Shell-impacted companies remaining vulnerable today, we recognized the immediate need to offer this security innovation to our customers."

Signature-based security approaches have worked well for non-complicated languages, the company points out, but languages like Java that are compiled into bytecode require expert-level domain knowledge to secure due to the unique characteristics of the Java programming language and its execution environment. When API security is added to the mix, the issue is exacerbated.

Industry watchers have estimated that more than 60% of companies using Java were affected by Log4J vulnerabilities. An estimated 41% of those companies reported that between 51% and 75% of their apps were affected. The Java security mavens at Waratek say they've found that 81%of companies report still having problems as a result of Log4J, and 70% of those surveyed still have not put a patch in place.

"For Java applications and APIs our unprecedented Java Security Platform helps security teams fill the knowledge gap on Java and address its unique security nuances, such as Insecure Deserialization, accurately and instantly," Ennis said.


Posted by John K. Waters on June 28, 20230 comments

One on One with Automated Software Testing Expert Phil Japikse

The upcoming Visual Studio Live 2-Day Hands-On Training Seminar (June 5-6, online), organized by the hard-working folks at 1105 Media (my boss) promises to be a killer opportunity for developers to update their skills and knowledge on an increasingly important topic with the potential to make their lives much easier: automated software testing.

I don't usually promote events in this space, but after talking (via email) with the seminar/workshop's presenter, Phil Japikse, I couldn't help myself. Japikse is an impressive guy. He's been developing software for more than 35 years, and he's been working with .NET since the first betas! He's got an alphabet soup of certifications (Microsoft MVP, ASPInsider, MCSD, PSM II, PSD, PSPO, PST), and he's the Lead Director of the Cincinnati .NET User’s Group and the Cincinnati Software Architect Group, and he founded and runs the CincyDeliver conference. (Guess which city he's from.)

Japikse's day job is Chief Technology Officer at the Pintas & Mullins Law Firm, and he's co-author of the latest editions in the best-selling "Pro C#" book series (Apress Publishing), including Pro C# 10 with .NET 6: Foundational Principles, (with Andrew Troelsen.) You can follow him on twitter. (He volunteers for the National Ski Patrol, which is very cool and explains his handle.)

JKW: What will you be covering in this workshop?

Japikse: We begin with an open discussion of the benefits (and possible friction points) of incorporating automated testing into your standard development practices. We also cover many of the tools used for automated testing in C# and .NET. This includes xUnit, MOQ, Machine Specifications (MSpec), and Microsoft PlayWright. Testing topics include unit testing (TDD and TED), mocking, integration testing, and UI testing.

JKW: Just to be clear, please define "automated software testing."

Japikse: Wikipedia defines it like this: "In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes." That’s not a bad definition, but it might be simpler to just say automated testing is the ability to execute tests and report the results without human intervention.

JKW: What are the different types of automated software tests?

Japikse: There are three main types we will be discussing in the workshop. Unit tests are tests that are very focused and test one particular unit of work, which in C# is a single function. Integration tests test an end-to-end process, like testing a repository for data access. User Interface tests are designed to test functionality by exercising the UI, which in our examples will be a browser.

JKW: What about TDD and TED?

Japikse: TDD stands for Test-Driven Development or Test-Driven Design. It’s the art of creating a test that confirms the behavior you need from the application, but before you develop that behavior. Since you haven’t written the code yet, the test fails. You then write the code to make the test pass. We will spend a good deal of time in the workshop on TDD.

TED is a term that a friend of mine started using years ago, and it stands for Test Eventual Development. It's used to describe the act of going back to already written software and adding tests. This tends to be more difficult and time-consuming than TDD. But in reality, there’s a lot more software that isn’t covered by tests than software that is. We will also cover how to add tests to existing software and the tricks that help this effort, such as mocking out dependencies and creating seams.

JKW: Software testing is an evolving practice affected by emerging development methodologies, tools, and trends (agile, shift left, AI). Where are we right now in that evolution related to tooling?

Japikse: For years developer testing meant running your app and banging on the keyboard, or creating a console app to test different parts of the application—or, more commonly, testing was left to the QA department. Because of the manual nature and lack of tooling, most developers didn’t do much testing besides simple app execution and some very rudimentary tests.

I remember when nUnit was first introduced into the .NET ecosystem. I was extremely excited because we (C# and VB.NET developers) finally had a tool to create automated tests. Since nUnit was introduced, the amount and quality of the available tools have grown exponentially. We now have tools to run a wide variety of automated tests, including unit, integration, and user interface. In addition, we can include automated testing in build and deploy pipelines.

JKW: Where are we right now in that evolution in terms of the involvement of developers in the process? In other words, what is their role today?

Japikse: I remember giving a lunch-and-learn on nUnit for a client shortly after it was released. I was teaching how to leverage nUnit to run and report the results of automated tests. Several of the developers were getting visibly upset with the topic. I stopped my lecture to ask them what was wrong. They all said that this was going to drastically increase the time it would take them to develop. I was confused since nUnit would drastically shorten the time to execute tests. They answered that they weren’t testing now. It wasn’t the tooling that was upsetting them, it was the thought of writing tests for their code that was the problem!

A common misconception is that creating automated testing increases the delivery time. There was a study done at Microsoft some years ago that looked at different teams. Some were using a test-first strategy, some were using a test-eventual strategy, and some groups were using traditional QA departments for their testing. Although the cycle time (the time to deploy a given feature) was slightly higher for those doing automated testing, the throughput (the number of features deployed) was much higher. This was because the quality of their work was much higher, and they had much less rework.

We all know it’s more interesting to work on new features and tedious and boring to fix bugs. If you aren’t including at least some automated testing in your development process, you are going to spend more time fixing bugs and less time building new features.

JKW: What are the chief benefits of incorporating automated testing into your development process?

Japikse: In addition to increasing the throughput and getting to work on new features, a direct benefit of automated testing is ensuring that the code we write works as we expect it to. Another (and more important) benefit is that you make sure the code we write doesn’t break any other code in the system.

JKW: Which projects and tests benefit the most from automated testing?

Japikse: All of them. The more complex or important the system is, the more testing it needs. Software that controls airplanes, for example, must be extremely well tested. One could argue that game software doesn’t need as much testing. It all depends on the business requirements for the application.

JKW: What are the top automated testing tools and why are they at the top of your list? (xUnit, MOQ, etc.)

Japikse: We now have many choices when it comes to automated test tools. In the .NET development space, there’s a host of free and open-source testing frameworks, including xUnit, NUnit, MSTest, MSpec, MOQ, Microsoft Fakes, Selenium, PlayWright, and plenty more.

My tools of choice are xUnit and MSpec for creating and executing unit and integration tests, MOQ for mocking dependencies and verifying behaviors, and PlayWright for UI testing. xUnit was the first framework to fully support .NET Core and is the next evolution of the unit testing frameworks. MSpec is for context specification style testing and was a major tool in my testing arsenal in the .NET framework space. It was recently updated to be compatible with .NET Core. MOQ has a long history in the C# space with rich mocking capabilities and behavior verification and has continued this trend with .NET Core. PlayWright is a new tool, at least for me, and I like the integration capabilities with xUnit.

JKW: How important is it to mock out dependencies when it comes to automated software testing?

Japikse: For unit tests, it’s vital. Unit tests must isolate a single unit of work and eliminate anything that can skew the results. For example, assume you have a method that calculates the sales tax on an item based on the country/state/county that they live in. If the method uses a repository to get the tax tables, and that repository call fails (e.g., the database is down), then the test will fail, but not because the logic for calculating the tax is wrong. It fails because it couldn’t access the database. It’s much better to mock out the dependency so the test is isolated to just the tax calculation. This also allows for testing different scenarios without having to modify the database records. Finally, it’s much more efficient to eliminate database calls when running automated tests.

JKW: Are organizations embracing automated testing with support for developers? How do developers feel about it?

Japikse: I don’t have any hard facts for you, but I feel like more companies are embracing automated tests. More and more developers I see at conferences and attending my trainings are at least familiar with the terms and tools but might be in different stages of adoption.

JKW: Finally, I'm wondering how important is automated testing expertise to the careers of developers today?

Japikse: When hiring, it’s a key factor I look for when someone says they are a senior developer.

Posted by John K. Waters on May 15, 20230 comments

Open-Source Leadership to the European Commission: CRA Rules Pose Tech and Economic Risks to EU

New cybersecurity rules for digital products proposed by the European Commission pose "unnecessary economic and technological risks to the European Union," according to a group of 12 open-source software leadership organizations.

In an open letter to the Commission published last week, the group stated: "We write to express our concern that the greater open-source community has been underrepresented during the development of the Cyber Resilience Act (CRA) to date and wish to ensure this is remedied throughout the co-legislative process by lending our support."

And by "support," I assume they meant giving the Commission a tutorial on the way open-source works.

As currently written, the CRA would impose a number of new requirements on hardware manufacturers, software developers, distributors, and importers who place digital products or services on the EU market. The list of proposed requirements includes an "appropriate" level of cybersecurity, a prohibition on selling products with any known vulnerability, security by default configuration, protection from unauthorized access, limitation of attack surfaces, and minimization of incident impact.

The list of proposed rules also includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA, including security, privacy, and the absence of Critical Vulnerability Events (CVEs).

The problem with these rules, explained Mike Milinkovich, executive director of the Eclipse Foundation, in a blog post, is that they break the "fundamental social contract" that underpins open-source, which is, simply stated, that its producers of that software provide it freely, but accept no liability for its use and provide no warranties.

"Every open-source license contains 'as is,' no liability, and no warranty clauses," Milinkovich wrote. "I’ve always assumed that this is simple common sense: if I provide you with a working program that you can study, use, modify, and further distribute freely for any purpose, why should I accept any liability for your (mis)use of that program? It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open-source projects which they have freely consumed. The CRA fundamentally breaks this understanding by legislating non-avoidable liability obligations to producers of free software."

The Eclipse Foundation is one of the world’s largest open-source software leadership organizations. It moved its legal residence from the United States to Belgium in 2021. The list of co-signers of the letter to the Commission includes. Associaçāo de Empresas de Software Open Source Portuguesas (ESOP), CNLL, The Document Foundation (TDF), European Open-Source Software Business Associations (APELL), COSS - Finnish Centre for Open Systems and Solutions, Linux Foundation Europe, OpenForum Europe (OFE), Open-Source Business Alliance (OSBA), Open-Source Initiative (OSI), Open Systems and Solutions (COSS), OW2, and the Software Heritage Foundation.

The groups collectively offered their expertise to the EU and member states to make "constructive changes to the legislation in support of strengthening cybersecurity without harming the open-source software community, which underpins commerce and public benefit concerns alike."

"We deeply share the CRA’s aim to improve the cybersecurity of digital products and services in the EU and embrace the urgent need to protect citizens and economies by improving software security," they stated in their letter. "However, our voices and expertise should be heard and have an opportunity to inform public authorities' decisions. If the CRA is, in fact, implemented as written, it will have a chilling effect on open-source software development as a global endeavor, with the net effect of undermining the EU’s own expressed goals for innovation, digital sovereignty, and future prosperity."

The leadership organizations urged the Commission to engage with the open-source community and take its concerns into account as they consider the implementation of the CRA. They even suggested how that might look with a list of recommendations:

  • Recognize the unique characteristics of open-source software and ensure that the Cyber Resilience Act does not unintentionally harm the open-source ecosystem.
  • Consult with the open-source community during the co-legislative process.
  • Ensure that any development under the CRA takes into account the diversity of open and transparent open-source software development practices.
  • Establish a mechanism for ongoing dialogue and collaboration between the European institutions and the open-source community, to ensure that future legislation and policy decisions are informed.

The CRA, while well-intentioned, in its current form shows a fundamental lack of understanding of open-source. No one is saying we're not facing significant cybersecurity threats. And no one is saying open-source is immune from those threats. The Apache Log4j remote code execution vulnerability, revealed in late 2021, showed that the compromised security of open-source software components can have a real impact. But the Commission would do well to accept the input of the open-source community. As the leadership groups noted in their letter, open-source represents more than 70% of the software present in products with digital elements in Europe.

"The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels," they wrote. "With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation."

Posted by John K. Waters on April 27, 20230 comments