Coverity Venture with U.S. DHS Announces Rung 2 of Open Source Analysis

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

Coverity's picture
Coverity announced that as a result of its contract with US Department of Homeland Security (DHS), potential security and quality defects in 11 popular open source software projects were identified and fixed.

The 11 projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

All of these projects eliminated multiple classes of potential security vulnerabilities and quality defects from their code at the Coverity Scan site ( Because of their efforts to proactively ensure application integrity and security, organizations and consumers can now select these open source applications with even greater confidence.

"Addressing security concerns will require a concerted effort on the part of the entire open source ecosystem to assuage enterprise concerns about security of open source software," according to analyst Michael Goulde in his 2007 Forrester report 'Enterprises View Open Source As A Key Tactic For Strategic Software Initiatives'.

Based on these results, Coverity will advance these 11 projects to 'rung 2' of its open source security ladder, where they will benefit from access to new, advanced product capabilities, including the base technology which will enable access to the company's patent-pending application of Boolean satisfiability in static analysis.

Coverity's technology creates a bit-accurate representation of a software system, where every relevant software operation is translated into Boolean values (true and false) and Boolean operators (such as and, not, or). This bit accurate representation enables SAT-based Solvers to analyze source code for the first time in commercial computer programming.

The Coverity Scan site was developed with support from the U.S. Department of Homeland Security as part of the federal government's 'Open Source Hardening Project.' In addition to the 11 projects, additional open-source projects are poised for advancing to rung 2 over the next months. For more information on advancement criteria for Coverity's Scan ladder, visit:

Projects at rung 2 of the Scan ladder have access to a significant upgrade of Coverity Prevent. The first projects to use these new capabilities report a significant increase in the number of identified defects, with some finding as many as 100 new hard-to-find defects than identified in rung 1 of the Scan ladder.

"We applaud the developers responsible for the 11 open source projects that have advanced to the second rung of code security and quality at the Coverity Scan site," said David Maxwell, open source strategist for Coverity. "By progressively enabling new features and functionality in Coverity Prevent as security and quality defects are eliminated, we provide easy-to-manage sets of defects for participants while creating an incentive for them to continue to improve their code."

Open source projects analyzed at the site include some of the worlds most widely used applications, including the Apache web server, the Linux operating system, the Firefox browser and the Samba file and printer sharing system.

The Coverity Scan site currently analyzes 50 million lines of software in more than 250 projects and has helped fix over 7,500 software defects since the site's launch in March of 2006. Hundreds of open source developers have integrated the use of Coverity's technology into their open source development process to improve software quality and security. New features available to rung 2 projects at the site include:

  • Major enhancement to the core analysis engine to find more defects with a low false positive rate
  • Infrastructure installed for use of Coverity‚Äôs breakthrough Boolean satisfiability (SAT) engine
  • Trend analysis features with graphs and customized queries to show historical states and defect density by component or person
  • Ability to organize a code base into components by grouping directories to easily identify troublesome sections in the codebase

The Coverity Scan site is freely available to qualified open source projects at: