Open source security improving rapidly

Coverity's Scan Report analysed more than 55 million lines of open source code

The quality and security of open source software is improving rapidly, according to an in-depth analysis of over 250 popular applications including Linux and Apache.

Coverity's Scan Report on Open Source Software 2008 was developed with support from the US Department of Homeland Security.

The report analysed more than 55 million lines of code on a recurring basis from over 250 popular open source projects.

The two-year investigation was conducted with Coverity's Prevent static source code analysis tool as part of the US government's Open Source Hardening Project.

Coverity reported a 16 per cent reduction in "static analysis defect density " in the past two years, reflecting the elimination of more than 8,500 individual defects.

'Null pointer dereference' emerged as the most common defect, according to the study, while 'Use before test of negative values' was the least common defect.

Findings in the report seemed to contradict conventional wisdom in that projects with large average function length are not prone to higher defect densities.

"The improvement of projects that already possess strong code quality and security underscores the commitment of open source developers to create software of the highest integrity," said David Maxwell, open source strategist at Coverity.

The report represents 14,238 individual project analysis runs for a total of nearly 10 billion lines of code analysed over two years.

The conclusions may apply equally to open source and commercial software regarding the relationship between variables such as code base size, defect density, function length, 'Cyclomatic complexity' and 'Halstead effort'.

Source code analysis from the report is freely available to qualified open source projects.