Moving Up The Rings

Many things have rings: mobile phones have incredibly annoying ones, jewelers have incredibly expensive ones, and Hell — at least according to Dante — has incredibly detailed ones. For the past three years, thanks to a government contractor called Coverity, Open Source has rung as well.

Coverity began contracting with the Federal Government in 2006, after the Department of Homeland Security began to wonder about the quality of the Open Source offerings being used by fellow feds. The company builds code-analyzing tools aimed at finding vulnerabilities and other hiccups in the programming process, and thanks to the government's inquisitive nature, those tools have been turned on Open Source for the past three years.

The company's system is unlike the more traditional find, report, and fix approach where developers and users running the applications identify problem areas as they present themselves and correct as necessary. Coverity uses static analysis, which performs its review without running the software. The method doesn't identify certain types of issues, as Forrester Research's Jeffrey Hammond pointed out to IDG News: "Static analysis [tools] won't tell you that your business process is working correctly...but they will tell you that the code itself is technically solid."

According to Hammond, static analysis looks primarily for poor programming — "structural 'anti-patterns' in code" — identifying "more exotic" issues including parallel code execution, as well as more common problems like buffer overflows and memory leaks. The process identifies whether code "follows the kind of programming best practices you'd expect to see from code that has gone through a proper code review."

The analysis process, which relies on voluntary submission of code for review, uses a rung system to classify how far the project has progressed in correcting the problems discovered in during analysis. Coverity has assigned four projects — OpenPAM, Ruby, Samba, and tor — to Rung 3, the final step on the bug-squashing ladder.

Coverity reports that 280 projects have submitted code for review, representing over sixty million lines of code. More than 11,200 bugs have been eliminated, with coders from some 180 projects working to scan submitted code. The program has dramatically decreased what Coverity calls "defect density," down sixteen percent in three years.


Justin Ryan is a Contributing Editor for Linux Journal.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState