The document discusses various static code analysis features available in IntelliJ IDEA, including code inspections, JSR annotations, duplicate detection, stack trace analysis, dataflow analysis, dependency analysis, and more. It provides examples of how to use annotations like @Nullable, @Pattern, and @Language. It also covers dependency structure matrix, UML generation, and how different features can be used at different stages of the software development lifecycle.
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - FullSt...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Babel is a general purpose JavaScript compiler that allows code written for modern versions of JavaScript to be compiled into a backwards compatible format that can run on older JavaScript environments. It uses parsing, traversing an abstract syntax tree (AST), and code generation to transform code. Key parts of Babel include its parser, types module for working with AST nodes, visitor pattern for traversing nodes, and ability for third-party code (plugins) to transform the AST during parsing.
Good and Bad Code
The Broken Window Theory
The Grand Redesign in the Sky
The Sushi Chef Rule
The Hotel Room Rule
The Boy Scout Rule
OOP Patterns and Principles
SOLID Principles
How to measure clean code?
Tools
This document provides an overview of LLDB, an open-source debugger developed by Apple. It discusses LLDB's architecture, how it uses Clang and is scriptable/pluggable. It also summarizes how LLDB sets breakpoints, evaluates expressions by running on the target process, and prints structured variables using Clang type representations. Testing for LLDB consists of around 20 test cases written in Python. There is opportunity for external contributors to help with areas like testing and improving the CLI.
This summary provides an overview of the key points about Groovy 2.0 discussed in the document:
1. Groovy 2.0 features a more modular architecture with smaller JAR files for individual features, as well as the ability to create custom extension modules.
2. It includes support for Java 7 features like binary literals, underscores in literals, and multicatch exceptions.
3. The new static type checking functionality in Groovy 2.0 aims to catch errors like typos, missing methods, and wrong assignments at compile time rather than runtime.
Lets look at writing a new Struts 2 application from square one, using the Yahoo User Interface (YUI) Library on the front end, and Struts 2 on the backend. YUI provides the glitz and the glamour, and Struts 2 provides the dreary business logic, input validation, and text formatting.
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - FullSt...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Babel is a general purpose JavaScript compiler that allows code written for modern versions of JavaScript to be compiled into a backwards compatible format that can run on older JavaScript environments. It uses parsing, traversing an abstract syntax tree (AST), and code generation to transform code. Key parts of Babel include its parser, types module for working with AST nodes, visitor pattern for traversing nodes, and ability for third-party code (plugins) to transform the AST during parsing.
Good and Bad Code
The Broken Window Theory
The Grand Redesign in the Sky
The Sushi Chef Rule
The Hotel Room Rule
The Boy Scout Rule
OOP Patterns and Principles
SOLID Principles
How to measure clean code?
Tools
This document provides an overview of LLDB, an open-source debugger developed by Apple. It discusses LLDB's architecture, how it uses Clang and is scriptable/pluggable. It also summarizes how LLDB sets breakpoints, evaluates expressions by running on the target process, and prints structured variables using Clang type representations. Testing for LLDB consists of around 20 test cases written in Python. There is opportunity for external contributors to help with areas like testing and improving the CLI.
This summary provides an overview of the key points about Groovy 2.0 discussed in the document:
1. Groovy 2.0 features a more modular architecture with smaller JAR files for individual features, as well as the ability to create custom extension modules.
2. It includes support for Java 7 features like binary literals, underscores in literals, and multicatch exceptions.
3. The new static type checking functionality in Groovy 2.0 aims to catch errors like typos, missing methods, and wrong assignments at compile time rather than runtime.
Lets look at writing a new Struts 2 application from square one, using the Yahoo User Interface (YUI) Library on the front end, and Struts 2 on the backend. YUI provides the glitz and the glamour, and Struts 2 provides the dreary business logic, input validation, and text formatting.
Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio
Geant4 project continues developing, so it's really interesting to recheck it with PVS-Studio static code analyzer. This time we'll do a check of version 10.2 (previously, we checked 10.0 beta-version)
This document provides an overview of Groovy, a dynamic language for the Java Virtual Machine. It discusses Groovy's features like properties, closures, and integration with Java. The document outlines what's new in Groovy 1.5, including Java 5 features like annotations and generics. It also covers how to integrate Groovy in applications using mechanisms like the GroovyShell and GroovyClassLoader. The presentation aims to help attendees learn about Groovy and how they can use it in their projects.
"Groovy 2.0 and beyond" presentation given at the Groovy/Grails eXchange conference.
Video can be seen here:
http://skillsmatter.com/podcast/groovy-grails/keynote-speech
The document discusses new features and enhancements in Groovy 2, including modularity improvements, extension modules, Java 7 support like invoke dynamic and binary literals, and static type checking. Modularity changes allow Groovy to be split into a smaller core JAR and optional modules. Extension modules allow contributing new methods. Static type checking adds compile-time checks for errors.
Дмитрий Нестерук, Паттерны проектирования в XXI векеSergey Platonov
The document discusses several design patterns including decorator, composite, specification, and builder patterns. It provides examples of implementing a simple string decorator to add split and length methods. It also shows a composite pattern example using neurons and layers. The specification pattern is demonstrated for flexible filtering of product objects. Finally, fluent and Groovy-style builders are explored for constructing HTML elements in a cleaner way.
Alexey Sintsov- SDLC - try me to implementDefconRussia
This document discusses implementing security best practices within an agile software development lifecycle (SDLC). It recommends that security requirements and testing be integrated into each sprint or iteration. The security team would provide requirements, guides, tools, and training to development teams. They would conduct a final security review before software releases. DevOps practices could help automate security processes and configuration of cloud platforms. The overall approach is to distribute security responsibilities to development teams with support from the centralized security team.
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
Sandboxie process isolation with kernel hooksKarlFrank99
Sandboxie is a process isolation sandbox that controls access to kernel resources and window messages. It uses kernel drivers to hook important kernel objects and APIs to restrict access for sandboxed processes. The driver intercepts attempts by sandboxed processes to access resources and redirects them to secure driver interfaces. The driver also hooks window message APIs in win32k.sys to filter messages from sandboxed applications to other processes. This allows sandboxed processes to run in a restricted environment isolated from the rest of the system.
Visualizing MVC, and an introduction to Giottopriestc
The document discusses the Model-View-Controller (MVC) pattern and its core components - the model, view, and controller. It provides examples of how each component works together in a web application. The model handles the application's data and business logic. The view displays the data to the user. The controller links the model and view by handling user input and calling the model and view functions. The document also discusses related concepts like middleware that process data between components, caching for performance, and how MVC is applied in different frameworks and applications.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
The document discusses the SOLID principles of object-oriented design, which are Single Responsibility Principle, Open/Closed Principle, Liskov Substitution Principle, Interface Segregation Principle, and Dependency Inversion Principle. It provides examples to illustrate each principle, including how to apply them to promote code reuse, prevent duplicate code, and support adaptive software development. The principles are aimed at creating flexible, maintainable and reusable software designs through concepts like high cohesion, loose coupling, abstraction, and separation of concerns.
This document provides an overview of moving from C++ to Objective-C. It discusses key differences in syntax between the two languages, including differences in class and method declarations. It also covers Objective-C specific topics like protocols, properties, memory management using retain/release, and the role of the NSAutoreleasePool in autoreleasing objects. The document is intended to act as a bridge for developers familiar with C++ to understand fundamental concepts for working with Objective-C.
This document discusses Java bytecode fundamentals including:
- Bytecode is composed of one-byte instructions with ~200 opcodes in use
- The javap tool can be used to disassemble classes and view bytecode
- The Java Virtual Machine is stack-based and each thread has a stack frame containing an operand stack and local variables
- Bytecode instructions manipulate the stack and local variables to implement method calls and object initialization
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
This document summarizes new methods for exploiting ORM injections in Java applications. It begins with introductions to ORM, JPA, and common ORM libraries. It then outlines several exploitation techniques, including using special functions in EclipseLink and TopLink to call database functions, abusing string handling and quote processing in OpenJPA, and leveraging features in Hibernate and specific databases like string escaping, quoted strings, magic functions, and Unicode delimiters. Code examples and demonstrations are provided for most of the techniques.
This document discusses strategies for testing code that is difficult or seemingly impossible to test, known as "untestable code". It provides examples of how to address issues like object construction that relies on external resources, dependencies, private methods, and language limitations. Specific techniques include using autoloading, custom stream wrappers, mocking databases/web services, reflection, and generative programming with frames to dynamically generate test and production code. The overall message is that with the right approaches, even legacy or "untestable" code can be made testable.
Android JNI/NDK allows developers to use native code like C/C++ code in Android applications. It does this through the Java Native Interface (JNI) which provides a way to create Java objects and call Java methods from native code. The Native Development Kit (NDK) includes tools to compile C/C++ code for the Android platform. JNI allows accessing native methods and data types from Java code. It provides functions for loading native libraries, registering native methods, and manipulating objects, strings, classes and fields between the Java and native environments. Exceptions must be handled when using JNI to ensure stable applications.
The document discusses building testable PHP applications. It covers topics like testing code, testable architecture, dependency injection, and static code analysis tools like PHP Code Sniffer, PHP Mess Detector, and PHP Copy Paster Detector. The document emphasizes that writing tests and designing for testability leads to fewer bugs and more maintainable code. It provides examples of unit testing and recommends test-driven development practices.
The document discusses various techniques for improving Java application performance, including:
1. Using tools like JVisualVM and JConsole to analyze performance bottlenecks and determine where to focus optimization efforts.
2. Customizing the Java runtime environment through JVM options and garbage collection settings.
3. Following programming tips like using object scopes and final modifiers efficiently, choosing appropriate collection types, leveraging concurrency constructs properly.
4. Reading further on techniques involving Java I/O, NIO, locks, and lock-free programming.
Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio
Geant4 project continues developing, so it's really interesting to recheck it with PVS-Studio static code analyzer. This time we'll do a check of version 10.2 (previously, we checked 10.0 beta-version)
This document provides an overview of Groovy, a dynamic language for the Java Virtual Machine. It discusses Groovy's features like properties, closures, and integration with Java. The document outlines what's new in Groovy 1.5, including Java 5 features like annotations and generics. It also covers how to integrate Groovy in applications using mechanisms like the GroovyShell and GroovyClassLoader. The presentation aims to help attendees learn about Groovy and how they can use it in their projects.
"Groovy 2.0 and beyond" presentation given at the Groovy/Grails eXchange conference.
Video can be seen here:
http://skillsmatter.com/podcast/groovy-grails/keynote-speech
The document discusses new features and enhancements in Groovy 2, including modularity improvements, extension modules, Java 7 support like invoke dynamic and binary literals, and static type checking. Modularity changes allow Groovy to be split into a smaller core JAR and optional modules. Extension modules allow contributing new methods. Static type checking adds compile-time checks for errors.
Дмитрий Нестерук, Паттерны проектирования в XXI векеSergey Platonov
The document discusses several design patterns including decorator, composite, specification, and builder patterns. It provides examples of implementing a simple string decorator to add split and length methods. It also shows a composite pattern example using neurons and layers. The specification pattern is demonstrated for flexible filtering of product objects. Finally, fluent and Groovy-style builders are explored for constructing HTML elements in a cleaner way.
Alexey Sintsov- SDLC - try me to implementDefconRussia
This document discusses implementing security best practices within an agile software development lifecycle (SDLC). It recommends that security requirements and testing be integrated into each sprint or iteration. The security team would provide requirements, guides, tools, and training to development teams. They would conduct a final security review before software releases. DevOps practices could help automate security processes and configuration of cloud platforms. The overall approach is to distribute security responsibilities to development teams with support from the centralized security team.
How to write clean & testable code without losing your mindAndreas Czakaj
If you create software that is to be developed continuously over several years you'll need a sustainable approach to code quality.
In our early days of AEM development, however, we used to struggle with code that is rigid, hard to test and full of LOG.debug calls.
In this talk I will share some development best practices we have found that really work in actual AEM based software, e.g. to achieve 100% code coverage and provide high confidence in the code base.
Spoiler alert: no new libraries, frameworks or tools are required - once you know the ideas, plain old TDD and the S.O.L.I.D. principles of Clean Code will do the trick.
by Andreas Czakaj, mensemedia Gesellschaft für Neue Medien mbH
Presented at the adaptTo() 2017 conference in Berlin (https://adapt.to/2017/en/schedule/how-to-write-clean---testable-code-without-losing-your-mind.html).
Presentation video can be found on YouTube (https://www.youtube.com/watch?v=JbJw5oN_zL4)
Sandboxie process isolation with kernel hooksKarlFrank99
Sandboxie is a process isolation sandbox that controls access to kernel resources and window messages. It uses kernel drivers to hook important kernel objects and APIs to restrict access for sandboxed processes. The driver intercepts attempts by sandboxed processes to access resources and redirects them to secure driver interfaces. The driver also hooks window message APIs in win32k.sys to filter messages from sandboxed applications to other processes. This allows sandboxed processes to run in a restricted environment isolated from the rest of the system.
Visualizing MVC, and an introduction to Giottopriestc
The document discusses the Model-View-Controller (MVC) pattern and its core components - the model, view, and controller. It provides examples of how each component works together in a web application. The model handles the application's data and business logic. The view displays the data to the user. The controller links the model and view by handling user input and calling the model and view functions. The document also discusses related concepts like middleware that process data between components, caching for performance, and how MVC is applied in different frameworks and applications.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
The document discusses the SOLID principles of object-oriented design, which are Single Responsibility Principle, Open/Closed Principle, Liskov Substitution Principle, Interface Segregation Principle, and Dependency Inversion Principle. It provides examples to illustrate each principle, including how to apply them to promote code reuse, prevent duplicate code, and support adaptive software development. The principles are aimed at creating flexible, maintainable and reusable software designs through concepts like high cohesion, loose coupling, abstraction, and separation of concerns.
This document provides an overview of moving from C++ to Objective-C. It discusses key differences in syntax between the two languages, including differences in class and method declarations. It also covers Objective-C specific topics like protocols, properties, memory management using retain/release, and the role of the NSAutoreleasePool in autoreleasing objects. The document is intended to act as a bridge for developers familiar with C++ to understand fundamental concepts for working with Objective-C.
This document discusses Java bytecode fundamentals including:
- Bytecode is composed of one-byte instructions with ~200 opcodes in use
- The javap tool can be used to disassemble classes and view bytecode
- The Java Virtual Machine is stack-based and each thread has a stack frame containing an operand stack and local variables
- Bytecode instructions manipulate the stack and local variables to implement method calls and object initialization
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
This document summarizes new methods for exploiting ORM injections in Java applications. It begins with introductions to ORM, JPA, and common ORM libraries. It then outlines several exploitation techniques, including using special functions in EclipseLink and TopLink to call database functions, abusing string handling and quote processing in OpenJPA, and leveraging features in Hibernate and specific databases like string escaping, quoted strings, magic functions, and Unicode delimiters. Code examples and demonstrations are provided for most of the techniques.
This document discusses strategies for testing code that is difficult or seemingly impossible to test, known as "untestable code". It provides examples of how to address issues like object construction that relies on external resources, dependencies, private methods, and language limitations. Specific techniques include using autoloading, custom stream wrappers, mocking databases/web services, reflection, and generative programming with frames to dynamically generate test and production code. The overall message is that with the right approaches, even legacy or "untestable" code can be made testable.
Android JNI/NDK allows developers to use native code like C/C++ code in Android applications. It does this through the Java Native Interface (JNI) which provides a way to create Java objects and call Java methods from native code. The Native Development Kit (NDK) includes tools to compile C/C++ code for the Android platform. JNI allows accessing native methods and data types from Java code. It provides functions for loading native libraries, registering native methods, and manipulating objects, strings, classes and fields between the Java and native environments. Exceptions must be handled when using JNI to ensure stable applications.
The document discusses building testable PHP applications. It covers topics like testing code, testable architecture, dependency injection, and static code analysis tools like PHP Code Sniffer, PHP Mess Detector, and PHP Copy Paster Detector. The document emphasizes that writing tests and designing for testability leads to fewer bugs and more maintainable code. It provides examples of unit testing and recommends test-driven development practices.
The document discusses various techniques for improving Java application performance, including:
1. Using tools like JVisualVM and JConsole to analyze performance bottlenecks and determine where to focus optimization efforts.
2. Customizing the Java runtime environment through JVM options and garbage collection settings.
3. Following programming tips like using object scopes and final modifiers efficiently, choosing appropriate collection types, leveraging concurrency constructs properly.
4. Reading further on techniques involving Java I/O, NIO, locks, and lock-free programming.
This document discusses various tools for improving JavaScript code quality, including linters, code coverage tools, and tools for measuring code complexity. It provides examples of using JSHint as a linter, Istanbul for code coverage, and JSComplexity for measuring complexity. The document also discusses using these tools with pre-commit hooks to enforce code quality standards before code is committed. Finally, it discusses how these various tools can work together in a multi-layered approach to defense-in-depth for code quality.
Pro typescript.ch03.Object Orientation in TypeScriptSeok-joon Yun
The document discusses object-oriented programming concepts in TypeScript such as classes, inheritance, polymorphism, and mixins. It provides code examples of implementing interfaces and classes to demonstrate inheritance and composition. Mixins are discussed as a way to reuse behavior across class hierarchies by applying multiple base classes to a derived class using a mixin function. The examples show how to define mixin behaviors as classes and apply them to implementing classes to achieve multiple inheritance in TypeScript.
PVS-Studio analyzes source code and finds various errors and code quality issues across multiple languages and frameworks. The document highlights 20 examples of issues found, including uninitialized variables, unreachable code, incorrect operations, security flaws, and typos. PVS-Studio is able to find these issues using techniques such as data-flow analysis, method annotation analysis, symbolic execution, type inference, and pattern-based analysis to precisely evaluate the code and pinpoint potential bugs or code smells.
Singletons in PHP - Why they are bad and how you can eliminate them from your...go_oh
While Singletons have become a Pattern-Non-Grata over the years, you still find it surprisingly often in PHP applications and frameworks. This talk will explain what the Singleton pattern is, how it works in PHP and why you should avoid it in your application.
The document provides an overview of JavaScript design patterns including creational, structural, and behavioral patterns. It discusses common patterns like the module pattern, prototype pattern, factory pattern, decorator pattern, observer pattern, and more. Code examples are provided to demonstrate how each pattern works in JavaScript.
Desing pattern prototype-Factory Method, Prototype and Builder paramisoft
The document discusses three design patterns: Factory Method, Prototype, and Builder. Factory Method defines an interface for creating objects but lets subclasses decide which class to instantiate. Prototype specifies the kinds of objects to create using a prototypical instance that new objects can be cloned from. Builder separates the construction of a complex object from its representation so that the same construction process can create different representations.
This document summarizes a presentation about Arquillian Constellation, a middleware for testing not just Java EE applications. It discusses using Arquillian for integration testing, micro-deployments, Docker and container testing, Kubernetes testing, persistence and database testing, contract testing, visual/Selenium testing, and techniques for speeding up test execution like smart testing.
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
On the JSConf US conference in December 2015 the developers announced that they were planning to make open the source code of Chakra key components, a JavaScript-engine, operating in Microsoft Edge. Recently the ChackraCore source code became available under the MIT license in the corresponding repository on GitHub. In this article you will find interesting code fragments that were detected with the help of PVS-Studio code analyzer.
Applying Compiler Techniques to Iterate At Blazing SpeedPascal-Louis Perez
In this session, we will present real life applications of compiler techniques helping kaChing achieve ultra confidence and power its incredible 5 minutes commit-to-production cycle [1]. We'll talk about idempotency analysis [2], dependency detection, on the fly optimisations, automatic memoization [3], type unification [4] and more! This talk is not suitable for the faint-hearted... If you want to dive deep, learn about advanced JVM topics, devoure bytecode and see first hand applications of theoretical computer science, join us.
[1] http://eng.kaching.com/2010/05/deployment-infrastructure-for.html
[2] http://en.wikipedia.org/wiki/Idempotence
[3] http://en.wikipedia.org/wiki/Memoization
[4] http://eng.kaching.com/2009/10/unifying-type-parameters-in-java.html
Java EE 6 CDI Integrates with Spring & JSFJiayun Zhou
This document discusses integrating Java Contexts and Dependency Injection (CDI) with other Java technologies like Spring and JavaServer Faces (JSF). It covers CDI concepts like the Inversion of Control pattern and dependency injection. It also provides examples of using CDI with Spring, integrating CDI and JSF, and using CDI interceptors. The document recommends some libraries for CDI integration and provides sample code links.
Mastering Mock Objects - Advanced Unit Testing for JavaDenilson Nastacio
A high-level description of mock testing techniques and their implementation for the Java programming language.
This presentation specifically focus on the JMockit and JMock frameworks.
This document provides an overview of the Grails web framework, including comparisons to other Java web frameworks. It discusses the differences between static and dynamic programming languages and covers Groovy and Grails features such as conventions over configuration, object relational mapping, validation, security, and common tags. The document also provides information on Grails project structure, configuration, and popular plugins.
Grails is a full-stack web application framework built on Groovy and Java. It utilizes conventions over configuration, meaning coding standards reduce the need for explicit configuration files. Grails integrates proven technologies like Spring, Hibernate, and more. It aims to simplify Java web development by reducing complexity and embracing DRY principles. Key features include GORM for object-relational mapping, scaffolding that rapidly generates basic CRUD functionality, and a large plugin ecosystem.
This document provides an overview of the Grails web framework, including:
- Grails is a full-stack MVC framework for web apps that leverages Groovy and is built on Spring, Hibernate, and other Java technologies.
- Grails uses conventions over configuration for simplified development and provides features like GORM and tag libraries.
- The document discusses Grails architecture, why it is useful for Java web development, and how it handles tasks like validation, querying, and security.
JavaFX 8 est disponible depuis mars 2014 et apporte son lot de nouveautés. Gradle est en version 2 depuis juillet 2014. Deux technologies plus que prometteuses: JavaFX donne un coup de jeune au développement d’applications desktop en Java en apportant un navigateur web intégré, le support des WebSockets, de la 3D, et bien d’autres. Gradle est l’outil de d’automatisation de build à la mode, apportant de superbes possibilités par rapport rapport à maven, outil vieillissant, grâce à l’engouement de la communauté vis à vis de cet outil mais aussi par le fait de la technologie utilisée en son sein: groovy. Venez découvrir comment il est possible de réaliser rapidement une application à la mode en JavaFX avec un outil à la mode également. Bref venez à une session trendy.
FindBugs is a static analysis tool that looks for bugs in Java code based on predefined bug patterns. It analyzes code without executing it and flags issues related to correctness, bad practices, performance, security, and concurrency. Some common bug patterns it finds include null pointer dereferences, ignored return values from methods, and potential infinite recursive loops. The tool is useful for finding bugs early before testing or deployment. Google and other companies use FindBugs to analyze their Java codebases and have found and fixed hundreds of issues through this process.
Groovy is a dynamic language for the Java Virtual Machine that aims to provide productivity features like closures, builders, and metaprogramming while leveraging Java's capabilities. The document discusses why developers should use Groovy to build Atlassian plugins, noting features like closures, domain specific languages, and builders that improve productivity. It addresses myths that dynamic typing reduces IDE support and that scripting languages are unprofessional. Code examples demonstrate how Groovy code can be more concise and readable than equivalent Java code.
This document summarizes Hamlet D'Arcy's presentation on AST transformations using tools like Lombok, Groovy, CodeNarc, and Mirah. It discusses how these tools allow manipulating abstract syntax trees to add functionality like automatic property generation, static analysis, and embedded domain-specific languages. Local AST transformations are performed without changing bytecode or requiring new semantics. Type checking can also be added through transformations. Mirah compiles to pure Java classes without additional syntax.
This document summarizes the history and development of Groovy from 2003 to 2012 in 3 sentences or less:
Groovy was created in 2003 and initially focused on adding closures and markup builders to Java, with additional features like templates and XML parsing added through 2004. Over the following years Groovy expanded to include tools like Gant, mocking, JSON builders, and annotations. By 2012 Groovy had become a popular and widely used JVM language with many features and tools for building applications.
The document discusses various techniques for reducing boilerplate code in Java, including libraries like Google Guava, Apache Commons Lang, and features in Java 7 and later. It provides examples of using these libraries and features to simplify tasks like error handling, resource management, string processing, collections, and object representation.
The document summarizes ideas for refactoring legacy code, including safely refactoring procedural code, better testing with Groovy, and managing dependencies. It also discusses social challenges like morale and politics, and provides suggestions for starting refactoring efforts and overcoming obstacles like lack of time or traction. Refactoring techniques presented include extracting methods, dependency injection, and using static methods to reduce dependencies.
The document discusses code generation and abstract syntax tree (AST) transformations. It provides an overview of Project Lombok, a Java library that generates boilerplate code through annotation processing and AST transformations. It also discusses how to analyze and transform code by visiting and rewriting AST nodes, giving examples of checking for null checks and instanceof expressions.
The document discusses code generation on the JVM using various tools and frameworks. It provides an overview of Lombok for generating Java boilerplate code, Groovy AST transformations, CodeNarc for static analysis, and Spock, GContracts, and Groovy++ for framework-oriented code generation. It also discusses generating code at compile time using abstract syntax trees.
Java has a reputation for boilerplate code: ubiquitous getters and setters, a verbose anonymous class syntax, and redundant declarations to name a few. It doesn't have to be this way! There are many ways to bust the boilerplate and this session provides a solid understanding of the most modern techniques. Come learn about inversion of control idioms, Proxy objects, code generation tools, and the latest libraries that both create and manage boilerplate code so you don't have to. A leaner, meaner codebase is yours for the taking.
The document discusses abstract syntax tree (AST) transformations in Groovy and Java. It covers several tools and techniques for AST transformations including Lombok, Groovy, CodeNarc, IntelliJ IDEA, Mirah macros, and how they allow generating code, performing static analysis, and rewriting code at compile time through analyzing and modifying the AST. The key topics are how these tools work by compiling code to an AST, analyzing and modifying the AST nodes, and sometimes generating source code from the transformed AST.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
14. … and more
Suppress False Positives
Define profiles and scopes
Run on demand
Run from command line
Team City integration
FindBugs, PMD & CheckStyle plugins
Language and framework support...
www.jetbrains.com/idea 14
15. Supported Frameworks
Android JSF
Ant JSP
Application Server Junit
Inspections LESS
CDI(Contexts and Maven
Dependency OSGi
Injection)
RELAX NG
CSS
SCSS
Faces Model
Spring Model
FreeMarker
www.jetbrains.com/idea 15
16. Write Your Own
IntelliJ IDEA Static Analysis:
Custom Rules with Structural Search & Replace
On http://JetBrains.tv
www.jetbrains.com/idea 16
17. 10 Best Unknown Inspections
Illegal package dependencies return of collection or array
'this' reference escapes field
constructor call to 'Thread.run()'
Field accessed in both expression.equals("literal")
synched & unsynched rather than
contexts "literal".equals(expression)
non private field accessed in equals method does not check
synched context class of parameter
Synchronization on 'this' and method may be static
'synchronized' method
http://hamletdarcy.blogspot.com/2008/04/10-best-idea-inspections-youre-not.html
www.jetbrains.com/idea 17
19. How it Works
@Override
public void visitMethod(@NotNull final PsiMethod method) {
super.visitMethod(method);
if (method.hasModifierProperty(PsiModifier.ABSTRACT)) {
return;
}
if (!RecursionUtils.methodMayRecurse(method)) {
return;
}
if (!RecursionUtils.methodDefinitelyRecurses(method)) {
return;
}
super.registerMethodError(method);
}
www.jetbrains.com/idea 19
29. Duplicate Detection
Anonymizes Local Variables, Fields,
Methods, Types, and Literals
Provides weighted/scored analysis
Supports several languages
More info: http://goo.gl/qmhhd
www.jetbrains.com/idea 29
37. Dataflow Analysis
Code archeology
to here – how a reference gets set
from here – where a reference goes to
More info: http://goo.gl/Cp92Q
www.jetbrains.com/idea 37
41. UML Generation
Dynamically generates diagram
Standard Show/Hide options
Integrated with Refactorings
Dependency Analysis
Shows all classes your code depends on
Shows specific usages in your classes
Allows jump to source
www.jetbrains.com/idea 41
46. * le click *
BinaryOperation is used 4 times by Facade
– Darker color == more dependencies
Green shows who BinaryOperation is “used by”
Yellow shows who BinaryOperation “uses”
www.jetbrains.com/idea 46
47. Cyclic Dependencies can be highlighted
Modules can be collapsed/expanded
www.jetbrains.com/idea 47
48. Dependency Structure Matrix
Demos on JetBrains site & booth
Feature Overview: http://goo.gl/0bcz3
JetBrains Blog Post: http://goo.gl/fdj26
Canoo Blog Post: http://goo.gl/M1hTY
www.jetbrains.com/idea 48
51. Software Lifecycle
Code Inspections every second
JSR 305 and 308 Annotations every second
Duplicate Detection
Stack Trace Analysis
Dataflow Analysis
Dependency Analysis
www.jetbrains.com/idea 51
52. Software Lifecycle
Code Inspections every debug
JSR 305 and 308 Annotations every debug
Duplicate Detection
Stack Trace Analysis
Dataflow Analysis every debug
Dependency Analysis
www.jetbrains.com/idea 52
56. Learn More – Q & A
My JetBrains.tv Screencasts: http://tv.jetbrains.net/tags/hamlet
My IDEA blog: http://hamletdarcy.blogspot.com/search/label/IDEA
Work's IDEA blog: http://www.canoo.com/blog/tag/idea/
Main blog: http://hamletdarcy.blogspot.com
YouTube channel: http://www.youtube.com/user/HamletDRC
Twitter: http://twitter.com/hamletdrc
IDEA RefCard from DZone: http://goo.gl/Fg4Af
IDEA Keyboard Stickers: JetBrains Booth
Share-a-Canooie – http://people.canoo.com/share/
Hackergarten – http://www.hackergarten.net/
www.jetbrains.com/idea 56
Editor's Notes
About Me http://www.manning.com/koenig2/ http://hamletdarcy.blogspot.com Twitter: @HamletDRC Groovy, CodeNarc, JConch Committer GPars, Griffon, Gradle, etc. Contributor GroovyMag, NFJS magazine author JetBrains Academy Member
Static access on instance lock
Field accessed in sync and non-sync context
lock acquired & not properly unlocked
Suspicious Indentation of Control Statement
Suspicious Variable/Parameter Name
Suspicious Variable/Parameter Name
Suspicious Variable/Parameter Name
Suspicious Variable/Parameter Name
- Command line & CI integration - command line: need a valid .idea / .ipr file - http://www.jetbrains.com/idea/webhelp/running-inspections-offline.html - inspect.bat or inspect.sh in idea/bin - CI Integration: TeamCity has inspections built in
- Mention WebStorm for other inspections
- @GuardedBy and @Immutable - GuardedByExample.java - Add jcp classes to classpath - non final GuardedBy field, not guarded correctly - non final field in @Immutable class
- http://www.jetbrains.com/idea/documentation/howto.html - Add annotations to classpath - Can be associated with other annotations (like Hibernate's) - Infer Nullity - http://www.jetbrains.com/idea/webhelp/inferring-nullity.html - http://blogs.jetbrains.com/idea/2011/03/more-flexible-and-configurable-nullublenotnull-annotations/
- http://www.jetbrains.com/idea/webhelp/dataflow-analysis.html - code archeology - better understand the inherited project code, interpret complicated parts of the code, find bottlenecks in the source, and more. - Dataflow to here - Shows how a reference gets set. ie Divide by zero example - Dataflow from here - Shows where a reference goes to. ie new Divide() example