Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Researchers: Bugs in open source software are waning

By Jacqueline Emigh, BetaNews

May 20, 2008, 8:28 PM

Developers of the Linux OS, Apache Web server, and about 250 other different open source projects have removed more than 8,500 individual bugs from their code over the past two years, according to a study released this week.

Linux developers, according to the Scan Report on Open Source Software 2008, accomplished this feat using a scanning Web site developed by Coverity, Inc. with support from the US Dept. of Homeland Security. In this expansive study, researchers reported a 16% reduction in static analysis density since 2006, among many other findings.

This level of reduction might not sound like that much, acknowledged David Maxwell, Coverity's open source strategist, in an interview with BetaNews.

"But you have to consider that we're dealing with more than 55 million lines of code on a recurring basis. [Sixteen percent] of 55 million lines of code amounts to a lot of code," Maxwell told BetaNews.

In other results from the report, the average rate of false positives identified on the Scan site turned out to be less than 14%.

"This is really important. Developers prefer to work on bug fixes when the numbers are 'real.' That way, it's easier to fix things. Otherwise, it can be too frustrating for them," Maxwell said.

As previously reported, the Coverity Scan site was originally developed as part of the US federal government's Open Source Hardening Project. Source code analysis from the Scan site is available free of charge to all qualified open source projects at http://www.coverity.com.

Other open source projects using the Scan site include BSD, the Firefox Web browser, and Samba, an open source implementation of SMB -- a protocol use by Microsoft Windows for file and print services.

The exhaustive report released this week is based on 14,238 project runs over the past two years, for a grand total of almost 10 billion lines of code. Most of the code analyzed was written in C, with some in C++ or Java. "But we didn't split things out by programming language," Maxwell told BetaNews.

In one particularly intriguing finding, data from the report contradicts common wisdom by indicating that projects with large average function lengths are no more prone than those shorter in length to higher defect densities.

Also from the study, "NULL pointer deference" turned out to be the most frequently occurring defect across the scan database, whereas "Use before test of negative values" was the least frequent, according to Maxwell.

Add a Comment (17 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Alpha258

posted May 22, 2008 - 8:51 AM

shellcodes_coder you obviously know nothing about OpenSource.

>>That's why I have seen so many hackers who can break into Linux in so many different ways

Really?? and where did you see these hackers breaking into Linux because if its in your dreams it doesn't count.

Score: 0

By melkor

posted May 21, 2008 - 8:33 PM

Instead of saying "Use before test of negative values" why didn't they just say "Buffer Underflow"?

Score: 0

By johnjosef

edited May 21, 2008 - 1:07 PM

The title of this post struck me awry because I am an open source developer. After reading the article I see more statistics that deny the intensity of the title. The whole purpose of open source is to create a community (which is very new by the way) of developers who can, with proper funding, create a better solution than the closed-source propriety solutions out there.

The fact of the matter is, when observing trends of use and security, and number of SERIOUS bugs or glitches, open source is taking the lead and have been in the lead for a little over 2 years. Why would companies like Dell start offering to sell a computer with linux pre-installed if it didn't meet their "standards of quality"? Why would most educated people (and especially developers) choose to use a web browser other than IE? Because they work, because they have more people working on them, and because using open source projects is a way to move away from the idea that your code belongs to the company or person that originally wrote it. Sharing leads to progress, and considering how fast technology develops at this day-and-age, progress is what we need.

Score: 0

By shellcodes_coder

posted May 21, 2008 - 12:11 PM

Open source means open security holes. That's why I have seen so many hackers who can break into Linux in so many different ways

Score: 0

By fewt

posted May 21, 2008 - 7:39 PM

No you haven't.

Score: 0

By Administraighter

posted May 21, 2008 - 11:24 AM

That only leaves 280 million more to go (over half in the mozilla product line).

Score: 0

By preinterpost

posted May 21, 2008 - 8:37 AM

Uh? 8500 bugs in almost 15000 projects over 2 years plus a few excuses?

I would not have a single client (at least not a well paying one) with such a pathetic standard of quality. Well the stuff is free but this is not something I'd try to spin with a positive note...

Score: 0

By fewt

posted May 21, 2008 - 7:41 PM

There is no such thing as bug free code.

Unless you are in the "hello world" market.

Score: 0

By enalposi

posted May 21, 2008 - 8:20 PM

Apparently you are. Wanna buy some? I got some Black Afghan or Red Moroccan...

Score: 0

By fewt

edited May 21, 2008 - 9:03 PM

Hmm, is your Black Afghan the "goto 10" variant?

Score: 0

By Alpha258

posted May 21, 2008 - 8:09 AM

If IIS is sooo good then why does hardly anyone use it?

Score: 0

By xyzcb1

posted May 21, 2008 - 11:15 AM

Hardly? Just because you, Joe and Susie don't use it, it doesn't mean hardly any one use it. Provide us with fact. Show us a break down a funtune 1000 companies.

Score: 0

By cowgaR

posted May 21, 2008 - 4:08 AM

patch patch patch patch ...gimme a patch for that second patch you've uploaded - which solved problem with our first patch we've put in...

patch patch patch patch, who's hero? who's put the most patches for a year? we got 125738 patches uploaded this week, we're great! but we need a third patch, that second patch revived the regression we had 3 months ago...we thought those 102 patches fixed it, we now need another...hope it won't break anything. but man it's cool, I am 11 years old and I am in linux credits for submitting 8 patches!

ah, you gotta LOVE open-source developement (particulary linux), don't you?

that's why APACHE server got his name for being EXTREMELY buggy (a-patchy-server)...

no real educated architect to look on the whole subject (yeah there are some, Miguel I. etc but their stealing from MS not working their own;), developement is too much "spread out" doing their micro-micro-micro work without a real plan which is MAKRO and is lead the right and EDUCATED (read - no kids, no ppl thou at learned C language in 24 days) ppl, that's why linux has 25% marketshare doesn't it? hmm...

but we're cool, we're best...we're the only one free ppl on earth, guess why you know us. well...because YOU ARE FREE! But sometimes, it's better to pay for something, you got what you payed for in the end ;)

well I'm a developer utilizing mostly MS .NET platform (yeah and a troll by most of you MS haters) but anytime I looked at most open-source programs I laugh... IIS vs APACHE? gimme a break...IIS (not windows) haven't had security bug for ages (2 years+) and version 7 is simply stunning with its modular architecture (as is win2008).

I mean I like some open-source programs (we use postgre as backend on Free BSD) and ppl which simply have a clue! but linux and some others totaly open totaly free (look at mozilla joke, their roadmap is just a fun) programs are under anarchy environment where they obviously need a dictatorship for a while...but for exaplme Linus Torvalds is stupid enough (his "insighful" comments allways make me laugh) to lead so guess why he's not a dictator ;)

Well I am a troll...and I hate Linus. I simply hate stupid ppl that doesn't have a clue. Grow up. Earn money. Don't loose your life with open-source just because you will be in a credit with 3244232 other ppl...nobody will give a s***. Really...

or does it? Linux will have 30% market in the year 2003! a study sometimes said... wow this been a post, going to read article ;P

Score: 0

By fewt

posted May 21, 2008 - 7:46 PM

So, you hate stupid people without a clue and yet your post is probably in the top 100 of most clueless posts ever in the betanews comments.

I'm so glad you are a developer, yay .. woohoo .. good for you!

Do you feel better about yourself now?

It's so pathetically inaccurate that it's not even worth going line by line to deflate it.

I will leave you with this little tidbit though so you don't convince even one person that you are teh smart.

"Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines." -
http://blog.washingtonpo...cro_1.html?nav=rss_blog

Score: 0

By zridling

posted May 21, 2008 - 1:29 AM

This defines the great advantage of 'open' source software: its transparency. When you're free to examine the code, you're free to fix it, alter it, improve it, and best of all, share it. Otherwise, you get software like Vista, outlook, adobe reader, apple safari, Norton Antivirus, realplayer, and the worst of the worst: MS Office 2007 with its defunct MS-OOXML.

Score: 0

By PC_Tool

posted May 21, 2008 - 8:47 AM

Does that explain how the OpenSSH issue sat around for 2 years without being noticed, much less resolved?

Yeah...

MS Office 2007 with its defunct MS-OOXML.

You poor deluded shut-in....

Score: 0

By fewt

posted May 21, 2008 - 7:49 PM

That was bad, really bad.

So bad that the guy that removed that code should never EVER touch a computer again PERIOD.

He gets the award for biggest dumb a$$ move EVER.

Debian lost serious credibility with that one. Fortunately there was a fix, and a blacklist package out for Ubuntu within hours of the find.

That doesn't make it better, but it helps minimize the pain.

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue