The overall quality and security of open source software is improving, say researchers at the Scan Web site. The group cites a 16% reduction in average static analysis defect density over the past two years of studying open source projects. Nearly 10 billion lines of code were analyzed, according to the group.
The site was set up by the U.S. Department of Homeland Security, Stanford University, and development software maker Coverity as part of a multi-year effort aimed at hardening U.S. Government software, which, like the rest of the world's, now includes a healthy helping of open source.
Coverity's base source code analysis technology was originally developed at the Stanford Computer Science Laboratory. The www.scan.coverity.com site allows qualified open source software projects to work with the commercial Coverity Prevent static analysis tools to identify software defects. The site characterizes open source projects based on the progress each project makes in resolving defects.
The Web site was launched in March 2006, according to David Maxwell, open source strategist for Coverity. He said open source projects that registered to be part of the study get a view on problems in their code, and many have made code changes based on the information.
While the group has disclosed some overall trends in defect types in the Scan.Coverity.com Open Source Report for 2008, some defect details are privy to registered project participants only.
"We don't want to be a source of vulnerability," said Maxwell. Some projects that have not actively used the results of the study have shown subsequent increases in defects, he said.
This work arose as part of an initiative called the "Vulnerability Discovery and Remediation Open Source Hardening Project," undertaken by Homeland Security's Science and Technology Directorate to protect the U.S. telecommunications infrastructure. As a result, defects in such open source projects as NTP, OpenVPN, Perl, PHP, Python, Samba, and TCL have been fixed. Most prevalent among types of defects found in the open source projects were null pointers, resource leaks, and unintentional ignored exceptions.