Coverity says the integrity and quality of the open source projects that its scans for defects, is improving. The company said it has measured a 16% reduction in static analysis defect density since it started scanning projects, including Linux, Samba, and Ruby, three years ago.
That reduction means 11,200 defects have been eliminated since Coverity undertook a $300,000 Department of Homeland Security contract to report on the reliability and integrity of open source software projects, often adopted for use in federal, state, and local government.
To find those defects, Coverity's automated inspector, Prevent, inspected 11 billion lines of code from 280 open source projects.
By defects, Coverity doesn't necessarily mean vulnerabilities and security exposures, although they can sometimes be found as well. Defects often amount to a null pointer reference in a C program, where a pointer refers to a memory address that is no longer valid. In some cases, the software runs fine despite the defect. Weeding out these flaws means they can't be activated by unforeseen or previously un-encountered conditions in the program.
As open source projects have eliminated the bugs found in Coverity's initial scans, the spotlight has been turned toward looking for more extreme grades of bugs, that were too minor to bother with in Coverity's first year of scanning. The third round of searching for obscure defects is underway.
For example, Samba along with a handful of other open source projects, has entered the third rung of certification, as Coverity calls it. Samba is the project that allows file and print translation between Windows and Linux and has been widely used in many enterprises adopting Linux.
The Ruby scripting language and framework, known as Ruby on Rails for its rapid development techniques, is also a third rung certification participant, as is OpenPAM, the open source method of aggregating multiple user authentication schemes.
"Known bugs can sometimes turn into security issues if they're not correctly understood or addressed," wrote Jeremy Allison. He is the co-creator of the Samba project with Andrew Tridgell, who commented on the need for defect prevention in open source code in a Samba FAQ July 21. "One hundred percent bug free reliable software is our goal, and one that Coverity scans play an important part in achieving," he wrote.
InformationWeek has published an in-depth report on application development. Download the report here (registration required).