Open-source code examined

Scan Report on Open Source Software 2008 detailed

In its "Scan Report on Open Source Software 2008," Coverity analyzed more than 55 million lines of code on a recurring basis from more than 250 open source projects. Detailed Tuesday, the project utilized the Coverity Prevent static source code analyzer and was done during a two-year period. Some of the projects analyzed included the Apache Web server, Linux, Firefox, and the Samba file and printer sharing system. Scripting languages such as PHP and Ruby were examined as well.

"We run the source code through our static analysis tool, which identifies certain types of software defects for them and developers can look at the result," said David Maxwell, open source strategist for Coverity.

Coverity in its analysis found that open source developers are interested in code quality and making efforts to make it better and more secure, Maxwell said.

"We can see from the statistics many developers are quite passionate about writing good code," Maxwell said.

The analysis found that:

  • The quality and security of open source software continues to improve.

  • There has been a 16 per cent reduction in overall static analysis defect density, reflecting the elimination of more than 8,500 individual defects. This reduction figure represents the average reduction from the first analysis of each project to the most recent analysis.

  • There is a prevalence of specific defects. "Null pointer reference" was the common defect while "User before test" was the least common.

  • Static analysis defect density and function length are statistically uncorrelated. This contradicts conventional wisdom.

  • Cyclomatic complexity and the Halstead effort, which are measures of code complexity, are significantly correlated to code base.

  • The average rate of false positives identified by open source developers on the Scan site was less than 14 per cent.

Also, Coverity found that code base size correlated to the number of defects. The company found it could tell with 72 per cent accuracy how many defects would be in the code based on the size of the code.

Coverity's code-scanning service was offered on its Scan site, which was developed with support from the US Department of Homeland Security as part of the federal "Open Source Hardening Project."

The project mostly examined C code but there was some C++ code as well.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Paul Krill

Paul Krill

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?