The Department of Homeland Security (DHS) is all about securing American
interests. Since January 2006,
helping to secure open source software has been one such interest.
Over 18 months and halfway through its three-year sponsored contract from DHS,
code scanning vendor Coverity is expanding the effort, with more projects
being scanned and more features in the code-scanning product itself.
David Maxwell, the open source strategist for Coverity, told internetnews.com that the effort will add open source Java projects over the next several months. The specific Java projects haven’t been selected, but this is the first time that open source Java projects will be analyzed under the DHS contract.
The Coverity/DHS scanning of the Java project for code defects will not be the
first free effort to find bugs in Java code though. FindBugs is doing the
same thing in tandem with source code analysis firm Fortify as part of an
effort launched last December called the
Java Open Review Project (JOR).
“They’re definitely complementary [Findbugs] and additional analysis is
always useful,” Maxwell told internetnews.com. “Though we’ve taken
results from FindBugs before and we’ve found issues that they did not.”
Coverity is also overhauling both the interface and functionality that open
source projects get to use. The new interface is intended to help facilitate
better control over code defect investigation as well as additional
reporting features.
The defect scanning engine is being updated to a newer version of Coverity’s
commercial Prevent technology. Maxwell explained that when the
DHS effort was first set up it used the most up-to-date version
then available.
“But in the meantime, commercial version has had a lot of developments and
the DHS version hasn’t until now,” Maxwell admitted.
The new version adds a barrage of new code checkers as well as
improvements to existing checkers. Coverity expects to move scanned projects
over to the new engine in a staged manner in the coming weeks.
Maxwell noted that the types of defects that the scanning uncovers vary
across projects.
“Every project has its own programming style and certain projects tend to
reproduce certain types of bugs more often,” Maxwell said.
The effort has ramped up considerably over the past 18 months. In March 2006, Coverity was scanning only 35 projects. By December, the number had
grown to 50.
The DHS scanning effort now yields results on 250 open source projects that
are scanned by Coverity. The scans have helped open source projects fix more
than 6,300 defects.