The analysis, done using the company's homegrown tools, found 97 flaws, at least one of which was a serious security problem, Coverity said in a report. However, that number is small compared with most commercial software code, said Seth Hallem, Coverity's CEO.
on the incentive to make
sure open-source code is clean
"In terms of industry averages, MySQL is excellent," Hallem said. "There is not a lot of easy gotchas in there."
Source-code analysis tools such as Coverity's are quickly becoming must-haves for software developers. Microsoft uses its own internal tools to vet its software, find bugs and reduce security vulnerabilities. Other companies, such as Ounce Labs and Reflective, have sold their wares to major companies. Coverity counts technology giants Cisco Systems and Oracle among its customers.
MySQL, the Swedish company that develops and maintains the MySQL database, contacted Coverity and asked for the audit, said Zack Urlocker, vice president of marketing for MySQL.
"We have fixed all the bugs that have been reported," Urlocker said. "And they will go out in our next release."
While the analysis software does not catch all bugs, the programs can effectively find certain classes of software problems. In many cases, such flaws could be the low-hanging fruit that might otherwise be found by an external hacker or independent security researcher. Moreover, since many companies allow free use of these tools for noncommercial software, an open-source project will likely have to analyze their code or risk attacks by malicious attackers who use the tools first.
Eliminating bugs is not the only use of such tools. Many IT professionals look to analysis tools to generate a measure of the quality of two code bases for comparison. While open-source software has its own share of problems, the fact that MySQL has fewer than 100 bugs indicates that the open-source database has been well-coded, Hallem said.
"By eliminating these, we are eliminating the most obvious flaws in the code," Hallem said.
Commercial code typically has anywhere from one to seven bugs per 1,000 lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.
Coverity's analysis of MySQL found an average of one bug in every 4,000 lines of code--results that are at least four times better than is typical with commercial software.
The findings parallel earlier work by Coverity in auditing the Linux kernel; that work found that a recent version of the kernel had 985 flaws in 5.7 million lines of code, less than a single flaw in every 10,000 lines of code.
"It is similar to other studies that have been done in the past that have shown that open-source code is clean and well-structured," said MySQL's Urlocker. He added that the open-source development process compels programmers to write cleaner code because the code will be seen and evaluated by others.
"It's like if you get ready to go to your high school reunion, you probably work out a bit before you go," he said.
By analyzing Linux and MySQL, Coverity has done quality checks on two of the four common components of open-source-based Web servers. The other two components--the Apache Web server and the PHP Web-scripting language--will be analyzed in the near future, Hallem said.
