Analysis Finds MySQL Code Low on Bugs

By Lisa Vaas  |  Posted 2005-02-04 Print this article Print

Just in time to counter security taints from last week's MySpooler worm, which spread via weak MySQL passwords on Windows installations, MySQL gets a clean bill of health from code-analysis firm Coverity.

Just in time to counter security taints from last weeks MySpooler worm, which spread via weak MySQL passwords on Windows installations, MySQL on Friday got a clean bill of health from code analysis firm Coverity Inc. The five Stanford University researchers at Coverity, who analyzed the security of the Linux kernel over a period of four years, this month are planning to release an analysis of the security and quality of MySQL code that found the database to have an "excellent" bug density. Coverity did the analysis at the request of MySQL AB, the company that markets and develops the code for the open-source database under a dual-licensing structure.
Coverity researchers analyzed MySQL Version 4.1.8 in January. The types of defects discovered were crash-causing defects, performance degradation and security vulnerabilities.
Out of 425,000 lines of code analyzed, Coverity identified 97 bugs, which included Deadcode, or unused code due to logic flaws, which can lead to improper system function; forward null, which can cause system crash; negative returns, static overrun and overrun dynamic, all of which can cause data corruption, possible crash or possible malicious attack; resource leak; reverse null; uninitialized variable; and unused value. The company has used the same code-checking technology on source code from customers including Oracle Corp. and Veritas Software Corp., among others. In the wake of the MySpooler worm, users criticized MySQL for not hardening the database. Read more here. For comparisons sake, Coverity found more than 1,000 defects in the Linux kernel Version 2.4.1 in 2001, at a time when the source code contained 1.6 million lines of code. Coverity CEO Seth Hallem said the relative cleanliness of MySQL code is likely attributable to a few things: First, it is shepherded by MySQL AB, the Uppsala, Sweden-based company that markets and develops the database under a dual-licensing structure. "Theyre putting their necks on the line," he said. "Theyre certainly more interested than a project with less industry penetration or less of a profit motive." Next Page: MySQL gets high marks for alacrity in security response time.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel