- Related Stories
-
LAMP lights the way in open-source security
March 6, 2006 -
Homeland Security helps secure open-source code
January 10, 2006 -
Key bugs in core Linux code squashed
August 3, 2005 -
Will code check tools yield worm-proof software?
May 26, 2004
More than 900 flaws were repaired in the two weeks after Coverity, which makes tools to analyze source code, announced the results of its first scan of 32 open-source projects. As a result, some of the software is now entirely bug free, Coverity said in a statement on Monday.
"My impression is that the open-source community is producing software defect patches at an extremely fast rate," Ben Chelf, the chief technology officer at Coverity, said in the statement.
Squashing bugs
Developers swiftly fixed flaws in their code after the bugs were identified in a U.S. government-sponsored effort to secure open-source software.
| Open-source project | Defect count March 6 | Defect count March 20 |
|---|---|---|
| Amanda | 108 | 0 |
| XMMS | 6 | 0 |
| Samba | 216 | 0 |
| Ethereal | 143 | 19 |
| Icecast | 12 | 2 |
| SQLite | 31 | 6 |
| Gcc | 140 | 97 |
| Gaim | 113 | 51 |
| Net-SNMP | 148 | 61 |
Source: Coverity
The open-source bug hunt is part of a three-year "Open Source Hardening Project," dedicated to helping make such software as secure as possible. In January, the U.S. Department of Homeland Security awarded $1.24 million to Stanford University, Coverity and Symantec to find vulnerabilities in open-source projects.
In its initial analysis on March 6, Coverity scanned more than 17.5 million lines of code from 32 open-source projects. On average, 0.434 bugs per 1,000 lines of code were found, the company said at the time.
More than 200 developers registered for access to the online defect database in the week after the first results were published. Since then, programmers for the Samba, Amanda and XMMS projects eliminated all the defects that the initial analysis detected, Coverity said Monday.
Samba, a popular open-source project used to connect Linux and Microsoft Windows networks, showed the fastest developer response, Coverity said. The number of flaws was reduced from 216 to 18 in one week and to zero in two weeks.
Amanda, a backup tool, was the worst performer in Coverity's first analysis. It had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The Amanda developers fixed 108 defects in a couple of weeks, according to Coverity.
XMMS, an audio player, had the lowest bug density, with 0.051 defects per 1,000 lines of code. A total of six holes have now been fixed, Coverity said.
As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, so they can get the details they need to fix the flaws, Coverity said.
See more CNET content tagged:
Coverity,
open source,
open-source project,
Samba,
defect
- Nonsense
-
by Mike E.
April 4, 2006 2:39 PM PDT
- "Some of the software is now entirely bug free" -are they serious? I realize their automated tools can't find any more bugs; but claiming this means the software is bug free in nonsense.
-
Reply to this comment
-
-
- Are they serious?
-
by rcrusoe
April 4, 2006 4:37 PM PDT
- Maybe. IMO, you need to point out all the bugs they missed and
-
View
reply
-
- They're completely serious.
-
by JFDMit
April 4, 2006 10:09 PM PDT
- Adopting M$'s approach, all the bugs are now fixed. Anything that comes up from now on is a feature.
-
-
(6 Comments)make them eat their words. That'll show them.