Key open-source code passes muster

By Matt Whipp

Posted on 6 Mar 2006 at 12:37

Analysis of the source code for key open-source projects has shown fewer than 29 'defects' in every 100,000 lines of code.

Analysis of the LAMP stack - the Linux platform, Apache web server, MySQL database and Perl, PHP or Python scripting languages - showed that the commonly used open-source building blocks were well below the average for some 32 open-source projects scrutinised by Coverity.

These included the likes of Samba, gcc, Gnome and FreeBSD. The average score for the projects analysed was 43.4 defects per 100,000 lines of code.

Coverity undertook the task as part of a three-year contract for the US Department for Homeland Security, and the result will undoubtedly vindicate the use of open-source software within governmental departments.

Coverity uses software built by Stanford University computer scientists to analyse static source code, checking every code path for possible defects. It is much faster than performing the same task manually. Coverity reckons that analysing the Linux kernel at the same level would take 28 'man years'.

The open-source development model means that software does receive plenty of scrutiny from developers as it is public by nature. But having an automatic software tool helps ensure projects are not solely reliant on this.

'One of the goals ... is to define a baseline so that people can measure software reliability in both open-source and proprietary software projects,' said Ben Chelf, CTO, Coverity. 'However, our goal is not only to measure quality and security, but also to make the projects that we analyse better. By opening up our analysis results to the core developers of these open source projects, we hope to work with them to reduce the number of defects and vulnerabilities in their code bases.'

You can see the full list of results at http://scan.coverity.com/.