RealTime IT News

Coverity Expands DHS Scans With Java

The Department of Homeland Security (DHS) is all about securing American interests. Since January 2006, helping to secure open source software has been one such interest.

Over 18 months and halfway through its three-year sponsored contract from DHS, code scanning vendor Coverity is expanding the effort, with more projects being scanned and more features in the code-scanning product itself.

David Maxwell, the open source strategist for Coverity, told internetnews.com that the effort will add open source Java projects over the next several months. The specific Java projects haven't been selected, but this is the first time that open source Java projects will be analyzed under the DHS contract.

The Coverity/DHS scanning of the Java project for code defects will not be the first free effort to find bugs in Java code though. FindBugs is doing the same thing in tandem with source code analysis firm Fortify as part of an effort launched last December called the Java Open Review Project (JOR).

"They're definitely complementary [Findbugs] and additional analysis is always useful," Maxwell told internetnews.com. "Though we've taken results from FindBugs before and we've found issues that they did not."

Coverity is also overhauling both the interface and functionality that open source projects get to use. The new interface is intended to help facilitate better control over code defect investigation as well as additional reporting features.

The defect scanning engine is being updated to a newer version of Coverity's commercial Prevent technology. Maxwell explained that when the DHS effort was first set up it used the most up-to-date version then available.

"But in the meantime, commercial version has had a lot of developments and the DHS version hasn't until now," Maxwell admitted.

The new version adds a barrage of new code checkers as well as improvements to existing checkers. Coverity expects to move scanned projects over to the new engine in a staged manner in the coming weeks.

Maxwell noted that the types of defects that the scanning uncovers vary across projects.

"Every project has its own programming style and certain projects tend to reproduce certain types of bugs more often," Maxwell said.

The effort has ramped up considerably over the past 18 months. In March 2006, Coverity was scanning only 35 projects. By December, the number had grown to 50.

The DHS scanning effort now yields results on 250 open source projects that are scanned by Coverity. The scans have helped open source projects fix more than 6,300 defects.