Java Apps Have the Most Flaws, Cobol the Least

dcblogs writes "An analysis of 745 applications for violations of good architectural and coding practices found that Java applications had the most problems and Cobol-built systems, the least. Some 365 million lines of code were analyzed by Cast Software to assess 'technical debt,' or the cost to fix the violations. Java was calculated at $5.42 per line of code, while Cobol did best at $1.26. Cobol code had the least number of violations because programmers 'have been beating on it for 30 years,' said Cast. As far as Java goes, 'there are many people going into Java now that really don't have strong computer science backgrounds,' said its chief scientist, Bill Curtis."

so?

[masternerdguy]

That COBOL code has been maintained for like 30 years, it would naturally be rock solid by now.

Technical Debt

[Nittle]

In today's agile world, who gets time to maintain technical debt. How does paying technical debt ever give your app that new feature that your marketing department is pushing for -- to have out by tomorrow. I think the rules have changed in how companies push their software development organizations to deliver software. That may be the biggest reason that quality is different than it was. That and the other programs have been worked on forever.

Conclusion...

[Anonymous Coward]

this is no assessment of Java vs Cobol, but of seasoned programmers vs half-skilled newbies.

COBOL

[LtGordon]

I would imagine that the reason Cobol code has so few bugs is because the vast majority of it was written years ago and any bugs that might have been there have been fixed already. I'd be more interested in a study that compares only new code that hasn't had the benefit of years of maintenance and eyeballs.

Java apps are probably most widespread

[coder111]

If you look at enterprise world (which is what they analyzed) you'll see that either Java or C# are most widely used. Which means most new/inexperienced/crap developers get to work on these projects in Java and C#. Which again means most mistakes & hacks & silliness. All the speciality stuff using exotic languages gets better people. And cobol applications in use today are either really mature and good quality or discarded years ago.

There are very few good team leads and architects who actually stand their ground and demand both quality from developers and resources to do quality work from their managers... And there are probably fewer managers who understand that quality needs time & resources...

--Coder

Coding Practices?

[Murdoch5]

The only real coding practices that mean anything are:

1) Does the program work
2) Can the program be maintained
3) Can a normal developer understand your program
4) Is your program acceptably bug free

When you start breaking down coding practices into line formatting and variable names and etc... etc... etc.... your no longer programming your doing document management and personally I'm not going to write my embedded systems firmware in word so let me program.

Re:COBOL

[laejoh]

Let me, an old Cobol fart, just answer by repeating: "As if requirements never change".

Re:COBOL

[tajribah]

Besides, if you have a 1000-line Java program and a 10000-line COBOL program doing the same task, which is going to have less bugs per line? :-)

Re:Java == Training Wheels

[Anonymous Coward]

By this logic we assume we shouldn't automate memory or cpu management. That's akin to asking me to create every nail, hammer, axe, and grow each tree, for me to build a house.

What the programs do...

[jellomizer]

Most COBAL applications while do a lot of processing they are not required to do much in terms of advanced coding. We expect more out of Java Programs then we do with Cobal. Java Apps need a cool fancy UI that handles every users whim. While the COBOL app has a menu you type that Item fill those fields and the record and hit process and wait.

If we were to one for one recreate those COBOL apps in Java without anything new. I will bet those Java Apps will run just as well.

Re:Java == Training Wheels

[masternerdguy]

You'd also need to engineer the trees, including designing the proteins, etc. It's like Sagan said, you must first invent the universe.

Good metric

[Alwin Henseler]

(..) assess 'technical debt,' or the cost to fix the violations.

Sounds like a very useful metric: the cost of fixing a bug. Or perhaps even more useful: the cost of a bug as it's released into the wild. That is: the total cost of stumbling on that bug, reporting it, discussing it, devising workarounds, producing & testing a patch, bandwidth / system maintainers' time for checking whether to apply it, actually doing so, cost of a site hack resulting from that bug, etc, etc, all of that vs. no bug in the first place.

With that as a metric I suspect even minor bugs have a massive cost if you're talking mass-used software like popular OS or the embedded software that runs smartphones etc. And considering that massive cost, it might make sense to invest massive effort trying to find bugs before software is released. At least for popular and/or mission-critical software...

SQL too

[tepples]

SQL is also traditionally written in ALL CAPS, yet look at all the SQL injection vulnerabilities that have been used to break into high-profile web sites.

Re:Conclusion...

[TheRaven64]

That's more or less what I thought. Most COBOL programmers these days have been doing it for decades, or have learned COBOL after learning half a dozen other languages and realising that the skill shortage means anyone who can stomach writing COBOL is massively overpaid. In contrast, schools and universities are churning out Java 'programmers' in vast quantities. You can get a cheap person who kind-of knows Java very cheaply. There aren't many programmers who kind-of know COBOL, you get either either experienced COBOL programmers or experienced programmers who can easily learn COBOL.

Re:so?

[Anonymous Coward]

COBOL also is very inexpressive and requires more lines of code to do the same thing, so saying "dollars per line of code" is not very useful.

In fact if you ever hear the words "per line of code" you can just assume that you're talking to someone who doesn't actually write code.

Re:Interpreted languages?

[Anonymous Coward]

Here are the languages and numbers of applications submitted for assessment.

Java EE 339
Oracle Forms 39
Oracle CRM 12
Visual Basic 14
dotNET 51
ABAP 59
C 14
C++ 9
COBOL 80
Other 11
____
total 745

339 Java, 14 C, 9 C++???

The sample size and distribution renders all statistical conclusions meaningless! Just another piece of corporate bullshit...

huh??? Wake up!!!

[Anonymous Coward]

Beside server-side, start by showing me COBOL codes that can play music, MIDI, animation, display web contents (HTML), VNC, VOIP, text chat, audio chat, video chat...

Do those also on cell phone, PDA, tablet... ... then maybe I would agree to talk seriously about some grueling comparison between COBOL and Java

As somebody who's worked in COBOL and Java shops..

[mwvdlee]

As somebody who's worked in COBOL and Java shops (within the same company), let me say "Duh!".
It's not so much the language as the typical environment it's used in, combined with the experience.
People working on Cobol are usually working on mission-critical applications, Java applications are typically less mission critical.

In practice I find that the cost of a bug is usually a pretty good measure of the quality of code; I've worked on code where an hour of downtime literally costs over a million dollar and I've worked on code where a full day of downtime means some user might have noticed it and had to wait a day. There are people working on code where a few seconds of downtime means death. Want to guess what code will be the best quality?

Re:SQL too

[CastrTroy]

The mysql_escape_string, mysql_real_escape_string, mysql_i_mean_it_this_time_escape_string thing probably has a lot to do with the sql injection vulnerabilities, not to mention that before mysqli, you couldn't even use prepared statements. That and the number of php "tutorials" on the web that don't even mention mysql_real_escape_string or prepared statements, leads to PHP being particularly bad. Add that to the fact that PHP is what is avaiable on cheap web hosts, and that it's the language of choice for many newbie programmers, and you go a recipe for disaster. The SQL injection problem isn't limited to PHP, but PHP probably has the biggest problem with it.

Re:so?

[Anonymous Coward]

COBOL also is very inexpressive and requires more lines of code to do the same thing

Wait, are you comparing Cobol to Java, or Lisp? Because last I checked, Java still required more lines of code to do the same thing than in more expressive languages such as Ruby or Python. The one thing nobody (who had familiarity with languages other than C/C++) ever accused Java of is being expressive.

Re:Java == Training Wheels

[CSMoran]

Knowing how to do hard things doesn't mean I need to do it on a day by day basis.

I can know about a dozen sorting algorithms, it doesn't mean I shouldn't use the sort() provided by the standard library of whatever language I'm using. In fact, I'd be a retard not to use it.

True, but that only works for smart programmers like you. There's still a fair point with "if you make it too easy, riff-raff comes in".

Re:Coding Practices?

[gstoddart]

I SWEAR I'm not making this up: a manager once criticized my code as being too terse

And, as a developer who has done code reviews for a long time ... I've had to tell other developers the exact same thing. Because it was too fscking terse.

In our shop, you needed a comment before your function describing what it was for, magic numbers were strictly verboten, and we expected function/variable names to actually have some descriptive value so we can tell what they're for, and anything non-obvious needed a comment.

We'd still get functions with three-letter names which were meaningless, variables like "b1" and "b2" which conveyed no information whatsoever, and generally crap code. Those guys didn't last long because they couldn't understand why their code was unusable in a production codebase.

"people have to read and understand it before they can modify it". He saw no irony in that statement.

Maybe because there was no irony? I've seen a bunch of young coders who claim that their code is so elegant and obvious as to be easily maintained. I've also shoved the same code back in their face after 3 months and said "fix this", which got me a "what's it do"?

If you think there should have been irony in his statement, maybe your code isn't very good.

Always assume that someone half as clever as you think you are is going to be fixing that code with great time pressures and in the middle of a bad day ... because quite likely, even if it's your own code and you fixing it, that will be true. People who act otherwise are likely a liability in the long run.

I have seen far too many coders who thought they wrote clever code, but after six months couldn't follow their own logic in order to be able to debug it. If the original author can't debug it, WTF is anybody else going to do with it besides rewrite it? (Something I've had to do before.)

Re:so?

[Joce640k]

That COBOL code has been maintained for like 30 years, it would naturally be rock solid by now.

OTOH Java is a much more recent language based on those 30 years of experience and we're supposed to have learned how to do things better.

I think it's more likely that more experienced people are working on those COBOL programs, not know-it-all grad students fresh out of education.

Re:SQL too

[DigitalisAkujin]

PHP is C-like just like Java but the path the two syntaxes take would bring them further apart than closer together.

For example in PHP you would never see something like this:
final Class d = mContext.getApplicationContext().getClassLoader().loadClass(mContext.getPackageName() + ".R$" + subClassName);

It makes me sad that Google chose Java as Android's main language considering how much of a rats nest Java really is.

It's sad that it takes 16GB of RAM just to compile a build of Android. And the funny thing is it kills the whole point of Android being "open". What person has 16GB of RAM on the off chance that they might wanna compile an Android build?

Re:SQL too

[cduffy]

Oh, the irony of seeing this...

PHP does not inherently promote SQL injections. Stupid design patterns do.

...next to this...

It's up to you to filter your inputs.

*headdesk*.

Trying to filter your inputs is a losing battle. Not commingling code and data in the first place (and thereby avoiding the underlying problem -- that things intended to be data can be treated as code when reparsed) is the simple, simple win that avoids needing to fight that battle in the first place.

Incidentally, this is the same reason why using $foo rather than "$foo" in shell scripts is so evil -- things which would otherwise be data get parsed and processed (through not just string splitting but also glob expansion), leading to unforeseen results when abused.