Open-Source: A Bug Hunt

Developers of open-source community are rapidly correcting handful of bugs in popular software packages, flaws have been identified thanks to an initiative sponsored by the U.S. government. Stanford University, Coverity, a company that produces tools for source code analysis, have developed a system that does daily scans of the code produced in the popular open-source projects. The resulting database of bugs is made available to developers so they can easily access the necessary details and correct the weaknesses of their software.

This initiative of "bug hunt" in the open-source software is part of the three-year project "Open Source Hardening Project", dedicated specifically to ensure that this type of software can be as safe as possible. In January last year, the U.S. Department of Homeland Security had allocated $ 1.24 million to Stanford University, Coverity and Symantec to hunt because it deals with vulnerabilities in various open-source projects.

More than 900 flaws were repaired within two weeks after the release of Coverity results of the first automated scan of the 32 open-source projects. The result is that some of these software codes appear down now completely "bug free", as reported by Coverity in a statement. Ben Chelf, chief technology officer at Coverity, said: "My impression is that the open-source community is doing the correction of errors in the software very quickly." In his initial analysis, conducted on March 6 last year, ran the Coverity scan of more than 17.5 million lines of code in 32 projects. On average they had found 0,434 bugs per 1000 lines of code. More than 200 developers have registered on the Coverity site to access the bug database online during the week following the publication of first results. The developers of projects Samba, Amanda and XMMS started working immediately and were able to eliminate all the flaws that the first analysis had revealed in their software.

Samba, a popular open-source project used to connect Linux and Microsoft Windows networks, showed the fastest "developer response, the number of vulnerabilities had been reduced from 216 to 18 in one week and then was brought to zero within two weeks. Amanda, a backup tool, it had obtained the worst results from the analysis of Coverity, which is the highest number of bugs per 1,000 lines of code, with a density of 1237. Amanda developers have, however, correct defects in the 108 a couple of weeks. XMMS, an audio player, boasted the lowest bug density, 0,051 defects per 1,000 lines of code, and according to Coverity now six security holes were all correct.

Among other projects also purchased monitored Firefox (increased from 108 to 7 bug), PHP (from 204 to 42), Linux (from 1062 to 745), Apache Web server (32 to 24).