Developers' Tool Improves Open Source Security, Trims Defects

Several software teams consider Coverity's Prevent SQS a valuable product despite a number of false positives.
What Prevent SQS has done in the first phase of its Department of Homeland Security project is perform 12 checks on the open source projects selected for review. They include forward nulls, where a pointer variable has a value of zero, referring to a nonexistent memory space and causing the program to crash; negative returns, where a function returns a negative value that is not expected and causes unpredictable results, such as using a negative value to index an array, which places the array in an unpredictable memory space; and dynamic overruns, where a piece of dynamically allocated memory is written to, but its size is not respected, said David Maxwell, Coverity's chief open source strategist.

Prevent also checks for memory leaks, where memory is allocated to create a software object but never reclaimed for the system when the object is disposed of. It "sizechecks" or looks for a pointer that has been cast as a data type too large for the memory assigned to hold it, causing a memory overwrite. Eleven open source projects have been scanned for the 12 defects and cleaned up the resulting discovered defects sufficiently to advance to a second "rung" or new phase of Coverity checking. They were: the Perl, PHP, Python, and Tcl scripting languages; Samba; Amanda backup and recovery project; NTP, the Network Time Protocol, which coordinates correct timing between two dissimilarly timed systems; OpenPAM, the open source method of aggregating multiple user authentication schemes; OpenVPN, the open source VPN; and Overdose, a Yahoo chat client.

Coverity called attention to the 11 as it announced an advanced round of checking for those projects that had completed two rounds of checks. Rung 0 and Rung 1 completed 12 defect checks. The Coverity checking engine is now capable of 60 checks, but not all of them will be immediately applied to the 11 projects. There will be Rungs 3, 4, and 5 as well. Maxwell said Coverity is trying to pace the amount of defect information it throws at open source projects so that they don't get distracted or overwhelmed by the lists of what the Prevent checkers are finding.

The results being cited come from scans automatically conducted on each build of an open source project, which occurs at least weekly and often several times a week. What the scan results don't show is the number of false positives in the supposed bug list. Until developers on an open source team check out each Prevent finding, it may or may not be a bug.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer