The analysis is the first public result arising from a contract with the Department of Homeland Security (DHS) to improve the security and quality of software. The three-year contract, called the "Vulnerability Discovery and Remediation Open Source Hardening Project," includes research on source code analysis techniques developed by Coverity and Stanford computer scientists.
"One of the goals of our research on software quality and security is to define a baseline so that people can measure software reliability in both open source and proprietary software projects," said Ben Chelf, CTO of Coverity. "No technology can find all bugs in software, but we have collected a critical mass of data through an automated and repeatable analysis framework to show how software quality can be concretely assessed, compared, and ultimately improved."
The open source development model benefits from the "many eyes" approach of having many developers review source code in a process similar to a large-scale peer review. This often results in high quality code, such as the code found in the LAMP stack. One goal of Coverity's research is to accelerate this peer review process by automatically analyzing 100 percent of the code paths for defects in each software project. According to Coverity, to do this manually for just the Linux kernel would take over twenty-eight man years alone.
As part of the analysis, Coverity is working with open source project leaders to make Coverity's findings useful to the open source community and to assist in applying fixes to the bugs identified.
An updated table of summary results and access to the secure database of defects is available online.
