Coverity

Open Source Code Is As Good As Proprietary, Says Coverity

Open source code scanned by Coverity had slightly fewer flaws per 1000 lines

On by Eric Doyle, ChannelBiz 3

Any conviction that open source software (OSS) is somehow inferior to proprietary code, or vice versa, depending on which side of the development fence you sit, is being dispelled by a report from Coverity.

The company has been scanning millions of lines of open source code for its 2011 Coverity Scan Open Source Integrity Report. The results show that the free code quality is on a par with in-house-developed products.

More thoroughly tested

The company said that this year’s study has been massively upgraded with the introduction of the Coverity 5 development testing platform. The new analysis engine incorporates advances in static analysis to improve results and find more defects in any code under test.

During 2011, the company tested open source projects that totalled over 37 million lines of code and the report also details the results of 300 million lines from anonymous proprietary software produced by Coverity Scan users.

On running the scans, it was found that the average defect density (number of defects per 1,000 lines) for open source was 0.45. In the proprietary code the same scan produced an index of 0.64. In both cases this is better than the 1.0 average defect density measured in commercial software.

The cleanest code was found to be Linux 2.6, PHP 5.3, and PostgreSQL 9.1 which weighed in at 0.62, 0.20 and 0.21 respectively. Coverity said that this recognised superior code quality defines the projects as industry benchmarks.

Rasmus Lerdorf, creator of PHP, said: “The quality of our code is critical to the ongoing success and adoption of PHP, which includes some of the world’s most popular Web sites. As our code grows and becomes more complex, Scan will become even more important for us as a way to help improve our code quality.”

To balance the results, the company compared projects of similar size in the open source and proprietary fields. Choosing codebases of around seven million lines, the defect density was roughly the same at 0.62. The parity is put down to progressive software testing throughout the development process to achieve the best results possible.

During the process, Coverity also gains an insight into application sizes. It found that the average open source project has 832,000 lines of code, while proprietary applications are much larger at 7.5 million lines.

In addition to the new testing software, Coverity has recently appointed Zack Samocha as Coverity’s Scan project director. “The line between open source and proprietary software will continue to blur over time as open source is further cemented in the modern software supply chain,” he said. “Our goal with Scan is to enable more open source projects to adopt development testing as part of their workflow for ongoing quality improvement, as well as further the adoption of open source by providing broader visibility into its quality.”

The report is the result of the largest public/private sector research project on open source software integrity. The project started in 2006, jointly with the US Department of Homeland Security, but is now wholly owned and managed by Coverity.

How well do you know Internet security? Try our quiz and find out!

Eric Doyle, ChannelBiz

Author: Eric Doyle, ChannelBiz

Editor, ChannelBiz
Eric Doyle, ChannelBiz Eric Doyle, ChannelBiz Eric Doyle, ChannelBiz
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




3 replies to Open Source Code Is As Good As Proprietary, Says Coverity

  • On February 24, 2012 at 12:01 pm by kovner

    The cleanest code was found to be Linux 2.6, PHP 5.3, and PostgreSQL 9.1 which weighed in at 0.62, 0.20 and 0.21 respectively.

    Linux@0.62: is this a typo?

  • On February 24, 2012 at 12:33 pm by Peter Judge

    It looks that way to me, but the figure came directly from Coverity. Many thanks for pointing it out – we will check.

    Peter Judge

  • On February 25, 2012 at 7:26 am by Peter Judge

    We have a response back from Coverity. Does this answer the question?

    Peter

    Coverity says:

    “The 0.62 figure is correct. This is a reflection of the size of the Linux code base at over 7 million lines of code. The development team has focused on the most critical part of the project, the kernel, and the defect density overall is better than the industry average. The key thing to keep in mind is that defect density – and therefore quality – is a function of the size of the code base and number of active developers. We feel that Linux – which is one of the largest projects in Scan and roughly the size of the average proprietary codebase – is a great benchmark for quality.”

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>