A two-year study of more than 55 million lines of code showed that open-source systems include a variety of errors that closely track those found in software written for proprietary systems.
The incidence of those errors in open-source code is declining, according to a study that the Homeland Security Department funded. The department hired Coverity to analyze more than 55 million lines of code in two years as part of the government’s Open Source Code Hardening Project.
Coverity used its Scan service to help open-source developers improve their products' security by pinpointing and categorizing code flaws. Scan uses the company's widely deployed Coverity Prevent static source-code analysis system.
The two-year project covered more than 250 popular open-source projects.
Open-source software products are improving in quality and security, according to the study.
Using the Scan service, researchers detected a 16 percent reduction in source code errors, based on a measure known as static analysis defect density, during the past two years. Project researchers cited a report from Gartner that states that by 2012, as many as four-fifths of all commercial software will include open-source code.
The Scan site sorts open-source projects into rungs based on their success in eliminating defects, Coverity said. “Projects at higher rungs receive access to additional analysis capabilities and configuration options,” it said. “Projects are promoted as they resolve the majority of defects identified at their current rung.”
“The continued improvement of projects that already possess strong code quality and security underscores the commitment of open-source developers to create software of the highest integrity,” said David Maxwell, open-source strategist at Coverity.
The company said its initial two-year DHS contract is ending, and Coverity will continue to operate the Scan site because of the favorable response the project has received from software developers and others in the open-source community.
The full Open Source Report 2008 is available here.
It is sad to see this awesome project come to an end....
Here are a couple of highlights from the full report.
• The overall quality and security of open source software is improving – Researchers at the Scan site observed a16% reduction in static analysis defect density over the past two years
• Prevalence of individual defect types – There is a clear distinction between common and uncommon defect typeacross open source projects
• Code base size and static analysis defect count – Research found a strong, linear relationship between these two variables
• Function length and static analysis defect density – Research indicates static analysis defect density and functiolength are statistically uncorrelated
• Cyclomatic complexity and Halstead effort – Research indicates these two measures of code complexity are signifcantly correlated to codebase size
• False positive results – To date, the rate of false positives identifed in the Scan databases averages below 14%