Developers fast to fix open-source bugs

["Gary Funck" <gary () intrepid com>]

[Follow-up to Coverity story]

http://news.com.com/2100-1002_3-6057669.html?part=rss&tag=6057669&subj=news

Developers fast to fix open-source bugs

By Joris Evers
Story last modified Tue Apr 04 13:27:55 PDT 2006

Developers have quickly fixed many bugs in popular open-source packages that
were flagged as part of a U.S. government-sponsored bug hunt.
More than 900 flaws were repaired in the two weeks after Coverity, which
makes tools to analyze source code , announced the results of its first scan
of 32 open-source projects. As a result, some of software is now entirely
bug free, Coverity said in a statement on Monday.

"My impression is that the open-source community is producing software
defect patches at an extremely fast rate," Ben Chelf, the chief technology
officer at Coverity, said in the statement.

Squashing bugs
Developers swiftly fixed flaws in their code after the bugs were identified
in a U.S. government-sponsored effort to secure open-source software.

Open-source project March 6 March 20
Amanda  108  0
XMMS  6  0
Samba  216  0
Ethereal  143  19
Icecast  12  2
SQLite  31  6
Gcc  140  97
Gaim  113  51
Net-SNMP  148  61

Source: Coverity

The open-source bug hunt is part of a three-year "Open Source Hardening
Project," dedicated to helping make such software as secure as possible. In
January, the U.S. Department of Homeland Security awarded $1.24 million to
Stanford University, Coverity and Symantec to find vulnerabilities in
open-source projects.

In its initial analysis on March 6, Coverity scanned more than 17.5 million
lines of code from 32 open-source projects. On average, 0.434 bugs per 1,000
lines of code were found, the company said at the time.

More than 200 developers registered for access to the online defect database
in the week after the first results were published. Since then, programmers
for the Samba, Amanda and XMMS projects eliminated all the defects that the
initial analysis detected, Coverity said Monday.

Amanda, a backup tool, was the worst performer in Coverity's first analysis.
It had the highest number of bugs per 1,000 lines of code, with a bug
density of 1.237. The Amanda developers fixed 108 defects in a couple of
weeks, according to Coverity.

XMMS, an audio player, had the lowest bug density, with 0.051 defects per
1,000 lines of code. A total of six holes have now been fixed, Coverity
said.

As part of the government-funded effort, Stanford and Coverity have built a
system that does daily scans of the code contributed to popular open-source
projects. The resulting database of bugs is accessible to developers, so
they can get the details they need to fix the flaws, Coverity said.



Copyright ©1995-2006 CNET Networks, Inc.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.