Under the Security & Vulnerabilities section of Fossbazaar, you can find a copy of Coverity's press release about Rung 2 on the Scan Ladder, but you might prefer an introduction to how software quality and security affects open source governance.
Software is not an abstract concept. It's a concrete one. However the concept of software quality is a very subjective matter.
Falling back on analogy, cars are very concrete objects, but which car is 'better' depends on the task it is going to be used for, and to a great degree on personal preference as well. A Jeep and a Miata are both vehicles, but knowing whether the challenge you'll face is in cornering or in rough terrain will determine success or failure.
Software is usually written with a particular environment in mind. If the software doesn't receive changes to add 'new features', and does receive changes to 'fix bugs', and the enironment remains the same, then it generally gets better over time. Put another way, the software gradually becomes better adapted to its environment.
There's a consequence for that in a business context. If you take software that was written for one purpose, and bring it in-house as a component in a new piece of software, you may have changed the environment to something the software is not well adapted to. That applies whether the software in question is open source, or licensed.
The tool called Prevent, which Coverity is supplying to open source developers under the contract with D.H.S, identifies certain types of software defects automatically. Rather than testing code in the environment where it runs, Prevent looks at the raw source code itself.
By inspecting the source code, defects are identified independent of the environment where the code runs. This has advantages and limitations that are material for several articles by themselves. In this case, I'll just point out that by not making assumptions about the environment, Prevent finds defects that could affect the software's reliability and security in many environments.
The open source projects on the Coverity Scan Ladder are making great progress in fixing the defects identified for them. The developers who work on the projects are the ones who decide whether and issue should be addressed, and who write the fixes, so they deserve the credit for making their software better.
The announcement I referenced refers to the first eleven projects which have fixed all of the defects identified for them, and have now received additional analysis results from a newer version of Prevent.
Software quality and security isn't a black and white issue, it's a scale that goes from 'no effort made' to 'as good as we know how to make it'. These projects are working on the end of that scale that results in better code for everyone who uses them.