Skip to main content

Open Source Integrity Report : Key Findings

Coverity recently announced the release of the 2011 Coverity Scan Open Source Integrity Report, and the findings have been notable.

For those unfamiliar with Coverity Scan, this is a public-private sector research project focused on open source software integrity.

SCAN leverages one of the key development testing techniques, static analysis, to identify defects in software code.

The project was first initiated in 2006 in collaboration with the US Department of Homeland Security to strengthen its open source software. In its first year, over 6,000 software defects were identified by the analysis results from the Coverity Scan service.

Now fully owned and managed by Coverity, SCAN works with some of the most widely adopted open source projects including Linux, PHP, Apache, and Android. They have all helped to enforce the quality and security of open source software.

A key finding of the 2011 SCAN report is that the quality of open source software code analysed in the SCAN project is on par with the project's proprietary code. Here are the other top findings:

Both commercial and open source projects that adopt development testing reap the benefits of good quality by significantly reducing the incidence of software defects.

pen source projects that have been using Coverity Scan for several years have significantly better defect density than the software industry average.

t's easier for a smaller project, with a more tightly coordinated team, to address a larger quantity of defects faster. BRL-CAD fixed over 1,600 defects in 5 days-their case study appears in the report.

We also presented the detailed results for Linux, PHP, and PostgreSQL, three projects that have been active participants in Coverity Scan over the past 5 years and are model citizens of good quality. PHP and PostgreSQL both have exceptionally low defect densities compared to the industry average. Linux, a codebase of nearly 7 million lines of code, has a better than average defect density for a codebase and developer community of its size.

Our 2011 SCAN findings show how development testing techniques, such as static analysis, have emerged as a best practice for finding and fixing software defects during software development .