Coverity Centralizes Its Code Defect Checkers

The company given a $300,000 Homeland Security contract to check security exposures in 250 open source code projects has combined several code checkers into one system, Coverity Integrity Center.

Coverity Integrity Center includes Coverity's static code-checking system, Prevent, which analyzes code line by line behind the scenes to find security exposures, poor programming practices, and bugs. Prevent has been used to check the code of 250 open source projects on a weekly basis over a two-year period. While some projects had as many bugs as commercial code, an average of one per 1,000 lines, Prevent found that Linux, Samba, and other leading projects have far fewer code defects than average.

Prevent "has got an inhuman eye for detail. It's like having the most persnickety programmer in the world looking over your shoulder," Jeremy Allison, lead developer on the Samba project, said in an interview.

The 2.6 version of the Linux kernel had a defect rate of 0.127 defects per 1,000 lines of code; that version of the kernel had 3.6 million lines. Samba was even lower at 0.024 bugs per 1,000 lines, while the PostgreSQL database project had a 0.041 rate, as reported last May.

Added to Prevent is Coverity's Build Analysis engine, a new product built into Integrity Center. It examines the newly assembled code produced by a build compilation in the software development process. A build "is the forgotten heartbeat of software development," said Coverity CTO Ben Chelf, and finding a problem in a build prevents problems further down the road as software goes into production.

In the build process, the compiler sometimes "doesn't appropriately clean up from a previous effort," and uses an old software object instead of a newly updated one. The Build Analyzer can detect such a mistake, automating a difficult process for the software developer who has to unravel why his code broke the build. Inspecting the source code line by line would reveal no defect in such a case, Chelf said in an interview.

Loud failures, where one part of the system doesn't connect to another, "are pretty straightforward to track down," said Chelf. Silent failures, such as the hidden, garbage object, are harder to track down, and an automated system relieves the developer of a lot of painstaking searching, he said.

Integrity Center also includes Architecture Analyzer, which compares the structure of the code to the architectural model that was generated for it. It can also analyze code as it executes in a test phase for dynamic analysis, formerly a separate product called Thread Analyzer. Integrity Center analyzes code written in C, C++, or Java.

Coverity's Integrity Center can be used with application life-cycle management tools, and Coverity has partnered with Electric Cloud's application project management, AccuRev's change and configuration management products, and GlobalLogic, a supplier of a distributed agile development platform.

Integrity Center is priced according to the number of lines of code in a project that it will analyze. A 1-million-line project would result in a $100,000 annual charge, or 10 cents a line.

Chelf said the San Francisco company closed its best quarter ever March 31. The privately held company doesn't disclose revenue, but he claimed the growth rate was 47%. Customers, in addition to Homeland Security, include France Telecom, Hewlett-Packard, Intergraph, Juniper Networks, Konami, Medtronics, NTT Do Co Mo, NASA, Philips, Raytheon, and Symantec.

InformationWeek Analytics has published an independent analysis of IT governance models and metrics. Download the report here (registration required).