Software // Enterprise Applications
News
1/10/2008
04:53 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Developers' Tool Improves Open Source Security, Trims Defects

Several software teams consider Coverity's Prevent SQS a valuable product despite a number of false positives.

Source code scans, such as those being performed on open source projects for the Department of Homeland Security, have become an important new tool in eliminating bugs at many of the projects, open source developers say.

At the same time, the scans are illustrating that average open source projects are, well, average, when it comes to creating bugs. Commercial code and some of the open source projects under review are showing one code defect or security exposure per 1,000 lines of code. But the best projects are showing a defect rate far lower than that. They're also illustrating how open source, unlike some commercial teams, is willing to air its defects and clean them up quickly.

"We log into their Web site each week and see what they've found," said Jeremy Allison, lead developer and co-founder of the Samba open source project. The code scanner, Coverity's Prevent SQS, "has got an inhuman eye for detail. It's like having the most persnickety programmer in the world looking over your shoulder," Allison said in an interview. Samba is included with most distributions of Linux and converts a Linux server into a machine that can talk with Windows.

The Samba team has fixed 228 bugs found by Prevent SQS and still has 11 findings to review and determine whether they're real bugs. The team inspects each finding because Prevent SQS returns false positives, and Samba developers notify Coverity when an alleged bug is actually good code so it can improve the tool's scanning ability.

"Their false-positive rate is low enough for it to be an extremely valuable tool," Allison added. The findings were complicated by the fact that Samba switched its change management system from Subversion to GIT, and broke the scripts that Coverity used to download the most recent builds or compilations of Samba. For a while, no bugs showed up because Prevent was rescanning previously fixed code. Then it reached the right repository and many days of new development showed up with a bunch of new defects.

But on the whole, "I was quite pleased with what Coverity said about us," Allison said. The scanning results show Samba with a defect rate of 0.024 per 1,000 lines of code instead of the average 1 per 1,000.

Not everybody has felt that way, as results of the scans have been aired by InformationWeek. "This story is just free and open source software bashing," said a reader in a submitted comment. Many readers wanted to see a comparison of open source to commercial code, but proprietary software companies are secretive about their defect rates. "Seems seriously slanted," said a commenter. "Steve Ballmer, is that you?" said another.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.