Open source, proprietary codes include similar mistakes

A two-year study of more than 55 million lines of code showed that open-source systems include a variety of errors that closely track those found in software written for proprietary systems.

The incidence of those errors in open-source code is declining, according to a study that the Homeland Security Department funded. The department hired Coverity to analyze more than 55 million lines of code in two years as part of the government's Open Source Code Hardening Project.

Coverity used its Scan service to help open-source developers improve their products' security by pinpointing and categorizing code flaws. Scan uses the company's widely deployed Coverity Prevent static source-code analysis system.

The two-year project covered more than 250 popular open-source projects.

Open-source software products are improving in quality and security, according to the study. Using the Scan service, researchers detected a 16 percent reduction in source code errors, based on a measure known as static analysis defect density, during the past two years.

Project researchers cited a report from Gartner that states that by 2012, as many as four-fifths of all commercial software will include open-source code.

The Scan site sorts open-source projects into rungs based on their success in eliminating defects, Coverity said. 'Projects at higher rungs receive access to additional analysis capabilities and configuration options,' it said. 'Projects are promoted as they resolve the majority of defects identified at their current rung.'

'The continued improvement of projects that already possess strong code quality and security underscores the commitment of open-source developers to create software of the highest integrity,' said David Maxwell, open-source strategist at Coverity.

The company said its initial two-year DHS contract is ending, and Coverity will continue to operate the Scan site because of the favorable response the project has received from software developers and others in the open-source community.

The full Open Source Report 2008 is available here.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected