On mySimon: Holiday Gifts for the Hostess
BNET Business Network:
BNET
TechRepublic
ZDNet
125 TalkBacks

By Joris Evers
Posted on ZDNet News: Apr 4, 2006 8:09:00 PM

Developers have quickly fixed many bugs in popular open-source packages that were flagged as part of a U.S. government-sponsored bug hunt.

More than 900 flaws were repaired in the two weeks after Coverity, which makes tools to analyze source code, announced the results of its first scan of 32 open-source projects. As a result, some of the software is now entirely bug free, Coverity said in a statement on Monday.

"My impression is that the open-source community is producing software defect patches at an extremely fast rate," Ben Chelf, the chief technology officer at Coverity, said in the statement.

Squashing bugs

Developers swiftly fixed flaws in their code after the bugs were identified in a U.S. government-sponsored effort to secure open-source software.

Open-source project Defect count
March 6 		Defect count
March 20
Amanda 108 0
XMMS 6 0
Samba 216 0
Ethereal 143 19
Icecast 12 2
SQLite 31 6
Gcc 140 97
Gaim 113 51
Net-SNMP 148 61

Source: Coverity

The open-source bug hunt is part of a three-year "Open Source Hardening Project," dedicated to helping make such software as secure as possible. In January, the U.S. Department of Homeland Security awarded $1.24 million to Stanford University, Coverity and Symantec to find vulnerabilities in open-source projects.

In its initial analysis on March 6, Coverity scanned more than 17.5 million lines of code from 32 open-source projects. On average, 0.434 bugs per 1,000 lines of code were found, the company said at the time.

More than 200 developers registered for access to the online defect database in the week after the first results were published. Since then, programmers for the Samba, Amanda and XMMS projects eliminated all the defects that the initial analysis detected, Coverity said Monday.

Samba, a popular open-source project used to connect Linux and Microsoft Windows networks, showed the fastest developer response, Coverity said. The number of flaws was reduced from 216 to 18 in one week and to zero in two weeks.

Amanda, a backup tool, was the worst performer in Coverity's first analysis. It had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The Amanda developers fixed 108 defects in a couple of weeks, according to Coverity.

XMMS, an audio player, had the lowest bug density, with 0.051 defects per 1,000 lines of code. A total of six holes have now been fixed, Coverity said.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, so they can get the details they need to fix the flaws, Coverity said.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 125 Talkback(s)
OS builder
Hear, hear !!!!! WHen they find bugs they should have techs fix it, not users...and as for security they should "recall" like the auto industry. By now Microsoft would be more like Rolls Royce or maybe a Honda instead of like a "Ford" or "Chevy".... (Read the rest)
Posted by: Dumber_z Posted on: 05/16/06 You are currently: a Guest | | Terms of Use
Take that Microsoft!!!  nucrash | 04/04/06
If Microsoft doesn't wake up to VMware soon?  Pop 3 | 04/05/06
Microsoft also...  jolumoar | 04/06/06
Wackos!!  larryl1234 | 04/07/06
That's 900 "bugs" in 32 projects.  Zogg | 04/07/06
Man, talk about fast, did you see how FAST the Samba group went after these  DonnieBoy | 04/04/06
900 flaws fixed  habaner0 | 04/04/06
Well there are bugs and then there are bugs  NemesisNL | 04/04/06
Many eyes demonstrated by the process  Richard Flude | 04/04/06
Are you crazy?  ziembd@... | 04/05/06
No problems seen  thunderdome1 | 04/05/06
hypocrisy and ignorance?  Richard Flude | 04/05/06
Microsoft and many Eyes and still lots of bugs  Codexena | 04/14/06
Bitty, Loverock, Mike Cox.....once again the crickets are chirping  BUCKWHEATONRICE | 04/04/06
well no..  Spicoli's Avenger | 04/04/06
Agreed  Sxooter_z | 04/04/06
And don't forget Ex_Lax..  Spicoli's Avenger | 04/04/06
Be Nice  Yagotta B. Kidding | 04/04/06
Well, 900 flaws is a few too many.....  Cayble | 04/04/06
That's 900 over 32 applications  Linux User 147560 | 04/04/06
still have to give credit where it is due  Monkey_MCSE | 04/04/06
I never noticed  Yagotta B. Kidding | 04/04/06
Sorry! Not claimed flawless...  Cayble | 04/04/06
Hmmm,  maldain | 04/05/06
Hmmm... again you're wrong...  viking2007@... | 04/05/06
Okay, How about, "better coding practices"?  The King's Servant | 04/06/06
Yes, and how did Microsoft do in this comparison?  Sxooter_z | 04/05/06
I agree  Codexena | 04/14/06
You just *had* to, didn't you?  Yagotta B. Kidding | 04/04/06
Guess this article...  Tony Agudo | 04/04/06
But they don't even get to play  Sxooter_z | 04/04/06
NDAs and golden handcuffs  Tony Agudo | 04/04/06
Flaws fixed in two weeks  Chad_z | 04/04/06
Actually....  viking2007@... | 04/05/06
Is this some sort of April Fool's joke?  rhinodata | 04/04/06
What's a bug? An unexpected behaviour.  apinkerton@... | 04/05/06
In addition, RhinoData,...  The King's Servant | 04/06/06
Developers fast to fix open-source bugs  Loverock Davidson | 04/04/06
So funny  mosborne | 04/04/06
Very funny  Loverock Davidson | 04/04/06
Sorry Lovey but the Kernel / OS stood up very well  Linux User 147560 | 04/04/06
No it didn't  Loverock Davidson | 04/04/06
Deny, stamp, scream, close your eyes...  Linux User 147560 | 04/04/06
Deny?  Loverock Davidson | 04/04/06
You are denying my argument as valid when presented  Linux User 147560 | 04/04/06
even more amusing  Monkey_MCSE | 04/04/06
You are amusing  Loverock Davidson | 04/04/06
And when confronted with data from another OS  Linux User 147560 | 04/04/06
LOL  Loverock Davidson | 04/04/06
Again you  Linux User 147560 | 04/04/06
you are the only one comparing it to an OS  Monkey_MCSE | 04/04/06
But wait!  Loverock Davidson | 04/04/06
No need to wait  thunderdome1 | 04/05/06
RE: Very funny  richdave | 04/04/06
It's called a ratio  babar77 | 04/05/06
OK yeah, did you read this bit  crocd | 04/04/06
I did  Loverock Davidson | 04/04/06
They have the money ..  crocd | 04/04/06
What are you babbling about  Loverock Davidson | 04/04/06
Point thwem out to me as I am willing to discuss it  crocd | 04/04/06
I already told you  Loverock Davidson | 04/04/06
They have the money  tattoo_z | 04/04/06
some real positives and a negative one  Tony Agudo | 04/04/06
And?  Loverock Davidson | 04/04/06
held responsible?  Monkey_MCSE | 04/04/06
You haven't yet  Loverock Davidson | 04/04/06
MS EULA liability is $5  crocd | 04/04/06
ok, here's some evidence loverock  Scott W | 04/05/06
BS  Linux User 147560 | 04/04/06
In that case...  Tony Agudo | 04/04/06
oops  mdsmedia | 04/04/06
Held responsible in what way?  zkiwi | 04/05/06
Responsibility in open source  thunderdome1 | 04/05/06
so?  jmwatson | 04/06/06
So...yes  Dumber_z | 05/16/06
As invalid as your 'one application' argument is,  Hugh Jass | 04/04/06
RE: I did  richdave | 04/04/06
On that note...  viking2007@... | 04/05/06
Loverock!!! So surprising to see you!!!  yyuko@... | 04/04/06
Thats because  Loverock Davidson | 04/04/06
and the world was flat then as well...  crocd | 04/04/06
so I walked through it very quickly then headed out...............  Can you hear me | 04/04/06
Building an OS was undergrade class at UCSB  mighetto | 04/04/06
Lots of Misconceptions and word of mouth here  ceward_z | 04/04/06
Interesting but...  ajole | 04/05/06
Funny  viking2007@... | 04/05/06
OS builder  Dumber_z | 05/16/06
Linux runs on the broadest amount of hardware  nucrash | 04/05/06
Hmmm, how about just comparing it to IE 6?  maldain | 04/05/06
Not quite...  jasonp@... | 04/05/06
Liability?  not applicable_z | 04/05/06
Learn to read. It might come in handy.  Sxooter_z | 04/05/06
Liability  mike@... | 04/05/06
Microsoft liable?  rufus.t.firefly | 04/25/06
Horsepower  code_flogger | 04/04/06
Nothing like patching a HUGE BUG!!!  SouthernPride | 04/04/06
what no bible thumping in this article?(NT)  Monkey_MCSE | 04/04/06
Some questions  TonyMcS | 04/04/06
Some answers  Tony Agudo | 04/04/06
Ugh, ZDNet screwed up my formatting yet again!  Tony Agudo | 04/04/06
Hmmm  zkiwi | 04/05/06
Ooooo Oooo I do!!!!  Linux Advocate | 04/05/06
XP is more Goofy, isn't it?  ajole | 04/05/06
Not Religion but Skeptical Inquiry  dave_p_1 | 04/05/06
Amanda Rules!!  Manny10 | 04/04/06
Even More Questions and Comments  Vladimir Druzhshchienschkyy | 04/04/06
Nothing beats having technically adept people  michael_t | 04/05/06
... except themselves?  the_fiddler_on_the_roof | 04/12/06
Don't forget  DemonX | 04/05/06
And now, Bug Free!  Dr Rick | 04/05/06
Bugs in the analysis software?  babar77 | 04/05/06
quantum singularity  Sxooter_z | 04/05/06
I 2nd that hypothesis...  harrisharris | 04/05/06
"bug free"?  NobodyHome | 04/08/06
Possibly...  thunderdome1 | 04/10/06
Yes there is!  Speeddymon | 04/05/06
Interesting....  viking2007@... | 04/05/06
Exactly...  mockylock | 04/05/06
Wrong, wrong, wrong.  thunderdome1 | 04/06/06
open sourse bugs  Bobby Joe Reed | 04/05/06
It is safe  thunderdome1 | 04/06/06
wrong?  mockylock | 04/06/06
Yes, WRONG!  thunderdome1 | 04/07/06
7595 bugs  BartFitz | 04/06/06
my 2 cents  the_fiddler_on_the_roof | 04/12/06

What do you think?

Essential Topics Click Here

advertisement
advertisement

White Papers, Webcasts, and Downloads

Meet Doc