• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
2008
OPEN SOURCE REPORT
Acknowledgements

On behal\ue001 o\ue001 the Scan site and Coverity, we would like to acknowledge the \ue001ollowing organizations \ue001or their
contribution to this report. It is our intention that developers, both open source and commercial, will bene\ue000t \ue001rom
the \ue000ndings in this report, which is possible thanks to the \ue001ollowing:

Open Source Developers \u2013 Around the world, open source developers have invested their time and energy to

utilize results \ue001rom the Scan site to improve the quality and security o\ue001 their code. It has been a pleasure to work
with \ue001ellow developers who are so passionate about their work. We thank you \ue001or your time, your \ue001eedback, and your
trust in our organization. Moreover, we applaud your drive and success at building better so\ue001tware. A special word o\ue001
thanks goes to the developers/projects that assisted with the creation o\ue001 this report, or have provided valuable input
and \ue001eedback on the Scan project, including: The Samba Team, The FreeBSD Project, der Mouse, Mark Arsenault,
and the developers \ue001rom ntp, Linux, Perl, Python, and PHP.

U.S. Department o\ue001 Homeland Security \u2013 We extend our gratitude to the U.S. Department o\ue001 Homeland Security
\ue001or their continued support o\ue001 the Scan site. In particular, we thank the members o\ue001 the DHS responsible \ue001or the
success o\ue001 the U.S. Government\u2019s Open Source Hardening Project.
1
Executive Summary
The Scan site (www.scan.coverity.com) is sponsored by Coverity\u2122 with support \ue001rom the U.S. Department o\ue001
Homeland Security. This report presents historical trend data collected by Scan researchers over the past two years.

Findings are based on analysis o\ue001 over 55 million lines o\ue001 code on a recurring basis \ue001rom more than 250 open source projects, representing 14,238 individual project analysis runs \ue001or a total o\ue001 nearly 10 billion lines o\ue001 code analyzed. In summary, this report contains the \ue001ollowing \ue000ndings:

\u2022 The overall quality and security o\ue001 open source so\ue001tware is improving \u2013 Researchers at the Scan site observed a
16% reduction in static analysis de\ue001ect density over the past two years
\u2022 Prevalence o\ue001 individual de\ue001ect types \u2013 There is a clear distinction between common and uncommon de\ue001ect types
across open source projects
\u2022 Code base size and static analysis de\ue001ect count \u2013 Research \ue001ound a strong, linear relationship between these
two variables
\u2022 Function length and static analysis de\ue001ect density \u2013 Research indicates static analysis de\ue001ect density and \ue001unction
length are statistically uncorrelated
\u2022 Cyclomatic complexity and Halstead e\ue001\ue001ort \u2013 Research indicates these two measures o\ue001 code complexity are
signi\ue000cantly correlated to codebase size
\u2022 False positive results \u2013 To date, the rate o\ue001 \ue001alse positives identi\ue000ed in the Scan databases averages below 14%

2
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...