Only Software matters

Experiences in software development

Posts Tagged ‘software’

My advice to (junior) developers about their career

Posted by Patroklos Papapetrou on February 7, 2014


The last couple of months I have met several young developers that either looking for the first job or are still trying to get their bachelor degree. Many of them asked me to give them my advice on how they can make their first steps in the software development career. It’s really nice to see young people to care so much about their career. I don’t remember that the guys of my age had the same mentality. I assume it’s the economic crisis that made all these young people act so maturely, but I like it 🙂

In this post I summarize my advice to all these “young” and ambitious developers. Don’t be fooled by the word young. Even you have already 10 years of hands-on development on your back, you’re still young. At least, me, I feel this way.  

The first thing they ask me is to tell them which language or framework should they learn. I can give you a hundred of different answers but the key is not which language you already know but how quickly you can learn a new language. Do you think that Google, or eBay, or Amazon care if you’re a Java or JEE or JavaScript expert? Send your CV and have an interview with some techie guys … 🙂

IT companies should hire characters and train skills. Ok, I know that this is not always the case but sooner or later, nobody will ask you to list all the programming languages or frameworks you know. If you are a “Lucky Luke” character no-one will ever want you in the team. The age of super-hero-programmers has passed and I don’t see it will ever come back. Teamwork is one of the keys to success and you should be prepared for that. And what about skills? If you can’t learn a new tool, a new language or a new framework, you still have enough time to pick up a different career. Companies will invest on you to teach you new skills but you should be a fast learner and be able to adopt these new technical skills in your everyday work.Think for a second about the definition of “investment”. Yes, you are right. Companies are not offering this education as a gift. They expect from you to pay back this new knowledge by increasing your skills, your productivity and eventually the company’s value.

Another great idea is to be open-source friendly. Pick up an open-source tool you like, you know well, or you just find it interesting, and join the community. Try to be active, to participate in forums, and why not, contribute on the project. There’s nothing better than showing to your future employers your real work in an open-source project. Moreover, open a github account, if you haven’t done it already. Push your personal projects. Let others see that you’re passionate about software development and you’re not just consider it as a way of getting some money. And since you have your github account read others code. It’s a great way to open up your mind and learn new things for languages you’ve never seen.

Be agile! Learn how to write clean code, no matter what’s the language you’re writing code. Learn how to respect yourself and the other developers of your team. Your code reflect your personality. A messy code will probably make your colleagues think that you’re the same in your personal life. You don’t want to hear from your co-workers “WTF is this?” when they read or review your last commit. Learn design patterns and re-factoring. You can apply them to almost all famous languages and they surely make you write cleaner code.

Join local user groups and go to some conferences. It’s incredible how many things you learn when you meet people from different cultures, backgrounds and knowledge. You have nothing to lose. On the contrary I can assure you that it’s a win-win situation. Not to mention that you will increase your social circle and maybe improve the chances of getting a new job.

Finally build your brand. I may sound like a marketing-guy, but I’m not. Advertise yourself with your achievements, even if you’re the millionth guy that did it. It doesn’t matter. Let others know your interests and that you’re active in software development. LinkedIn, Twitter and other professional networks can help a lot. Start blogging and post little articles about your experience and knowledge, even if they’re for beginners. Again, it doesn’t matter!!! You’ll find yourself very soon posting more and more advanced stuff. 

And one last thing… Don’t you ever stop learn new things. You decided to become a software engineer. This is your destiny. To continuously learn new things. 

 

Advertisements

Posted in software | Tagged: , , , | 1 Comment »

Fixing common Java security code violations in Sonar

Posted by Patroklos Papapetrou on September 21, 2012


This article aims to show you how to quickly fix the most common java security code violations. It assumes that you are familiar with the concept of code rules and violations and how Sonar reports on them. However, if you haven’t heard these terms before then you might take a look at Sonar Concepts or the forthcoming book about Sonar for a more detailed explanation.

To get an idea, during Sonar analysis, your project is scanned by many tools to ensure that the source code conforms  with the rules you’ve created in your quality profile. Whenever a rule is violated… well a violation is raised. With Sonar you can track these violations with violations drilldown view or in the source code editor. There are hundreds of rules, categorized based on their importance. Ill try, in future posts, to cover as many as I can but for now let’s take a look at some common security rules / violations. There are two pairs of rules (all of them are ranked as critical in Sonar ) we are going to examine right now.

1. Array is Stored Directly ( PMD ) and Method returns internal array ( PMD )

These violations appear in the cases when an internal Array is stored or returned directly from a method. The following example illustrates a simple class that violates these rules.

public class CalendarYear {
 private String[] months;
 public String[] getMonths() {
    return months;    
 }
 public void setMonths(String[] months) {
    this.months = months;
 }
}

To eliminate them you have to clone the Array before storing / returning it as shown in the following class implementation, so noone can modify or get the original data of your class but only a copy of them.

public class CalendarYear {
 private String[] months;
 public String[] getMonths() {
    return months.clone();    
 }
 public void setMonths(String[] months) {
    this.months = months.clone();
 }
}

2. Nonconstant string passed to execute method on an SQL statement (findbugs) and A prepared statement is generated from a nonconstant String (findbugs)

Both rules are related to database access when using JDBC libraries. Generally there are two ways to execute an SQL Commants via JDBC connection : Statement and PreparedStatement. There is a lot of discussion about pros and cons but it’s out of the scope of this post. Let’s see how the first violation is raised based on the following source code snippet.

Statement stmt = conn.createStatement();
String sqlCommand = "Select * FROM customers WHERE name = '" + custName + "'";
stmt.execute(sqlCommand);

You’ve already noticed that the sqlcommand parameter passed to execute method is dynamically created during run-time which is not acceptable by this rule. Similar situations causes the second violation.

String sqlCommand = "insert into customers (id, name)  values (?, ?)";
Statement stmt = conn.prepareStatement(sqlCommand);

You can overcome this problems with three different ways. You can either use StringBuilder or String.format method to create the values of the string variables. If applicable you can define the SQL Commands as Constant in class declaration, but it’s only for the case where the SQL command is not required to be changed in runtime. Let’s re-write the first code snippet using StringBuilder

Statement stmt = conn.createStatement();
stmt.execute(new StringBuilder("Select FROM customers WHERE name = '").
                         append(custName).
                         append("'").toString());

and using String.format

Statement stmt = conn.createStatement();
String sqlCommand = String.format("Select * from customers where name = '%s'", custName);
stmt.execute(sqlCommand);

For the second example you can just declare the sqlCommand as following

private static final SQLCOMMAND = insert into customers (id, name)  values (?, ?)";

There are more security rules such as the blocker Hardcoded constant database password but I assume that nobody is still hardcodes passwords in source code files…

In following articles I’m going to show you how to adhere to performance and bad practice rules. Until then I’m waiting for your comments or suggestions.

Posted in java, quality, software, sonar | Tagged: , , , | 8 Comments »

How to become a great software developer (via codeshite)

Posted by Patroklos Papapetrou on September 5, 2011


Start with design patterns – Always start with a design pattern, then try to make your problem fit it.  Ideally start with the pattern you have most recently read about as this is most likely to be the best one. Do programming Katas – Repeatedly solving the same simple problem is the best way to improve your coding skills.  The faster you can do it, and the more you sense a feeling of 'flow' when solving this problem, the better a developer you a … Read More

via codeshite

Posted in software | Tagged: , | 1 Comment »

5+1 Sonar Plugins you must not miss

Posted by Patroklos Papapetrou on July 10, 2011


Sonar, to my humble opinion, is the leading system to help developer teams track,manage and eventually enhance the overall quality of their code and obviously their software products/projects. To be honest, this is not a post to describe either Sonar features or the necessity of a tool for every developer that respect his time and efforts. If you want to read such analysis you can see my related post To Sonar or Not to Sonar. In this article I briefly present 5+1 plugins that every Sonar Installation should have them. I would like to clarify though some exceptions I have made prior to my final choice. I have excluded all plugins that have to do with additional languages and IDE to keep this post as much as objective I can. I have also excluded all commercial plugins for obvious reasons. After that assumptions I have limited my selections to the following categories :
  • Additional Metrics
  • Governance
  • Integration
  • Visualization / Reporting
Sonar itself comes with a variety of features that cover most of the needs of a software development team. However I consider that the following plugins are essential, especially for those that have adapted or trying to adapt agile practices. To be honest it was very difficult to select only 6 plugins!!
1.Hudson / Jenkins plugin
Although Sonar analysis can be easily triggered from several build tools (maven, ant etc.) I strongly believe that its native integration with the most famous open source CI server makes itself an important part of the continuous integration / deployment practice. The configuration is extremely easy and as proposed the best practice is to trigger Sonar at night builds. Team members can track day by day software quality, automatically, without bothering when a new analysis should run.
2.Jacoco Plugin
Unit Test results, with drill down analysis, line and branch coverage, running and failed tests are features implemented in Sonar core and cover in depth all aspects of unit testing practice. But, as there is always a ‘but’, what about Integration tests? What if we want to have separated measures about unit and integration tests? Here comes JaCoCo plugin to save our time and money. Although JaCoCo is an alternative to Cobertura (default Sonar coverage tool ), it may be properly configured to display metrics only for Integration Tests. There is a great article that explains in details how we can use it and get the same analysis ( as for Unit Tests ) for Integration Tests.
3.Useless Code Plugin
It may looks similar to the Sonar Core feature named Duplicate Code, but it adds some more metrics, which I think are very useful especially for large or legacy systems. In general it measures how many lines can be removed from your code. It reports what is the number of unused private methods that can be safely removed and the number of unused protected methods exist in the code that can be removed after some more careful code examination. Finally it provides some more details about code duplication informing how duplicate lines are formed (i.e. x blocks of y lines )
4.SIG Maintainability Model Plugin

This plugin, as its name implies is an implementation of the Software Improvement Group(SIG) Maintainability Model. It reports ranking – from — :(very bad) to ++ (very good) on the following base indicators:Analysability, Changeability, Stability and Testability. The core idea for this ranking is to measure a series of base metrics such as Lines of Code(LOC), Duplications,Unit Tests,Complexity and Unit Size. Each of these metrics is then accounted into some of the mentioned indicators and the final result is representing the overall maintainability of the project. We can see the results of this analysis in a graphical (spider) presentation with all four axes of the model. With a glance a this graph you have a global and detailed at the same time view of how easy is to change and maintain your codebase. For me it is the first index I check every morning and if something is not + or ++ then we definitely have done something wrong 😉

5.Quality Index Plugin
Have you ever wanted to check a single number (indicator) and understand how healthy is your project? I am sure you have!! Well, the quality Index plugin is exactly what you are looking for. The plugin combines four weighted axes (complexity, coding violations, style violations, test coverage) of quality and produces a ranking between 0 (lowest) and 10(highest). Moreover it calculates a method complexity factor based on the complexity factor mentioned above. Have you ever tried to get a ranking of 10 with this plugin? I think it worths the effort! 🙂

6.Technical Debt Plugin
Last, but not least, the plugin that reports about the interest you have to pay as a developer, as a team, as a company. Technical debt is a term invented by Ward Cunningham to remind us that if we don’t pay our interest from time to time, then it is for sure that eventually this will make our software unmaintainable and hard to add new features or even find the root cause of defect. The plugin, which has a very powerful configuration, represents technical debt in four dimensions.

  • Debt Ratio : The percentage of current technical debt to the maximum possible technical debt.
  • Cost to reimburse : Cost in your currency to pay all interest and clean up your code
  • Work to reimburse : Same as above measured in man days.
  • Breakdown : Distribution to the following axes: Duplication, Violations, Complexity, Coverage, Documentation and Design

Be sure that you check its measures to avoid find yourself in bad situation like spaghetti code 🙂

I am pretty sure that there are plenty of interesting Sonar plugins so please feel free to post your comments with your list of them.

Posted in open source, quality, software, sonar | Tagged: , , , | 4 Comments »

 
%d bloggers like this: