Coverity Secures 11 Open-Source Projects

Coverity upgrades its Scan site, which is used by developers to find and fix security bugs in their code. 

Coverity is updating the Web site it runs that enables developers to run their code against the company's automated software quality tools to identify and fix security vulnerabilities.

The Scan Web site already has helped resolve such vulnerabilities in 11 open-source projects, according to company officials.

David Maxwell, an open-source strategist at Coverity, on Jan. 8 identified those projects as Amanda, NTP (Network Time Protocol), OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba and TCL, Maxwell said.

Coverity launched the Scan site in March 2006. In collaboration with Stanford University, Coverity established Scan as a baseline for software quality and security in open source. Coverity's program began as an initiative contracted by the Department of Homeland Security to use the company's innovations in automated defect detection to uncover bugs found in software. The government-sponsored project was known as the Open Source Hardening Project.

"We have a commercial code analysis product that we sell," Maxwell said. The product, known as Prevent, is the foundation of the Scan project, he said.

However, Scan has been using an older version of Coverity's base technology since the project launched in 2006. The company is updating Scan with more recent Coverity releases. The latest commercial release of Prevent is Version 3.8; the new, upgraded Scan is based on Prevent Version 3.6. This is the first upgrade of the version of Prevent used for Scan. The previous version was Prevent 2.4, Maxwell said.

"We have an agile development process [at Coverity], so we have a new build about every six weeks," he said in an interview with eWEEK.

Maxwell said that based on the latest results, Coverity will advance the 11 projects to "Rung 2" of its open-source security ladder, where they will benefit from access to new, advanced product capabilities, including access to the company's patent-pending application of Boolean "satisfiability" in static analysis.

"The version of Prevent in use for Rung 2 provides the projects with a new user interface, with significant usability improvements, and tracking and management functions," Maxwell said in a blog post Jan. 8. "The analysis engine has been updated with 18 months worth of developer effort, and builds a more accurate Software DNA Map than ever before. As a result, it can identify additional defects, not previously found."

Other open-source projects that have been analyzed at the Scan site include the Apache Web server, the Linux operating system and the Firefox browser. Maxwell said the Coverity Scan site currently analyzes 50 million lines of software in more than 250 projects and has helped fix 7,000 software defects since the site's launch.

"Many of the open-source developers had not had access to something like our software before," Maxwell said. "They've probably had dynamic analysis tools and unit testing ... but probably not static analysis tools" for their open-source projects, he said.