Critical Open Source Software Projects Receive 6,000 Bug Fixes in First Year of Coverity Scan Site
Coverity, Inc., makers of the world’s most advanced source code analysis solution, today celebrated the one year anniversary of the scan.coverity.com project that was started under an open source vulnerability research contract with the Department of Homeland Security (DHS). The contract is shared with Stanford University and Symantec Corporation. Coverity also announced a major expansion of the analysis scope, increasing the number of open source projects involved to 150, up from 50.
In the first year, developers fixed an average of 16 defects a day. Many of the new projects are so widely used that a single serious defect could affect millions of people. For example, Coverity added regular scans of zlib, a compression program used in more than 500 applications, including MSN Messenger, Microsoft Office, QuickTime and Apache. Other new projects include FreeRADIUS, a software application that provides secure authentication to 100 million users on the Internet and on business networks.
“Access to Coverity’s technology is enormously valuable for a foundational piece of network access software like FreeRADIUS where any crash or security bug can have a worldwide impact on people’s ability to access the Internet,” said Alan DeKok, project leader for the FreeRADIUS Project. “I want to thank the DHS for funding this contract and to thank Coverity for providing this service that will help to maintain the valuable reputation of FreeRADIUS as a quality product.”
“There’s been tremendous adoption of the free service on scan.coverity.com by the open source developer community with most developers fixing bugs after a single look at the analysis of a particular defect,” said David Maxwell, open source strategist for Coverity. “The scalability of Coverity’s analysis technology allows us to continuously run scans on each of 35 million lines of code and their interdependencies with only a small system of servers. This allows open source developers to find and resolve defects introduced into the project soon after the new code is submitted.”
The new scan.coverity.com site gives the general public full color graphs categorized by defect type. Previously, the public could only access summary tables. Developers will continue to be able to drill-down into every defect identified to pinpoint the exact location of all errors.
A partial list of defects that scan.coverity.com identifies include:
• Leaked resources;
• References to pointers that could be NULL;
• References to pointers that are guaranteed to be NULL;
• Use of uninitialized data;
• Array overruns;
• Unsafe use of signed values;
• Use of resources that have been freed.
The impact of each defect varies depending on the application and use. For example, unsafe use of signed values could cause crashes or lead to unexpected behavior or security vulnerabilities.
Access and Eligibility
In order to avoid potential security vulnerabilities leaking to the general public, details of the analysis are given to members of scanned projects only. Open source projects with licenses that meet the criteria described by the Open Source Initiative are eligible if they have no corporate affiliations or are most strongly affiliated with a non-profit organization. Additional conditions may apply. Please see http://scan.coverity.com/faq.html for more information on access and eligibility.
The scan.coverity.com site is under continual development. In the near future, active open source projects will get access to additional features that allow scan.coverity.com to be configured and tuned for their specific projects, enabling an even deeper level of defect detection with the most advanced source code analysis technology available on the market.
Contact details and information on the background and history of scan.coverity.com are available at http://scan.coverity.com/about.html