A Better Grip on Open Source Projects?

Over time, software applications grow, sometimes becoming so complex that one hand of the enterprise doesn’t have a grip or know what the other hand is doing to track how the application is laid out.

In the collaborative environment that under-girds open source software development, getting a grip on the project’s architecture — or tracking who has the grip — can be contentious, to put it mildly. Enter code scanning vendor Coverity, which is introducing service that maps open source code architecture.

Today, the company announced that it published the software architecture maps of 2,500 open source projects in a bid to help developers optimize their code. Coverity also released the architecture mapping tool that it uses to build those maps.

The new mapping effort comes at an opportune time for Coverity, which just completed a contract with the Department of Homeland Security to improve open source code security. With the publication of the open source software architectures, Coverity is aiming to further improve open source code development.

“Our hope is that when people look at software in this way it will cause them to think a little more about architecture,” David Maxwell, open source strategist for Coverity, told InternetNews.com. “The tool does have the ability to bring to a developer’s attention things that otherwise might be hidden under thousands of lines of code.”

Among the projects that Coverity has mapped are popular open source programming languages such as Perl, PHP, Python and TCL. (The Coverity Scan architecture provides the software maps under a Creative Commons license.)

The Coverity Architecture Analyzer product, which builds the software maps, is available under a free, renewable license to open source developers. (The Coverity Architecture Analyzer itself is not open source, Maxwell noted.)

The software architectures could provide a roadmap that gives developers a sense of what to expect from a project. Or if an architecture has organized code that is particularly effective, others could learn from that and improve.

“As well if someone is going to write a plug-in or add-on to an existing project they can look at how the plugin interfaces with the main application to get a better understanding of how to optimize, Maxwell explained.

The software architecture could also help developers of the mapped project to identify code references that are not optimized. Such references could be relatively benign cyclical references that cause stability issues, but could also lead to potential security as well.

According to Coverity, with a visual representation of architecture, developers could identify pathways that circumvent access control checkpoints, encryption/decryption APIs as well potentially eliminate unintended back doors.

“When we look at defect identification, the reason why defects creep in the first place is often because of misplaced code,” Maxwell said. “We think that having a well defined architecture provides information that could prevent defect creep.”

Coverity is no stranger to looking at open source code. In 2006, Coverity was the recipient of a Department of Homeland Security (DHS) grant to improve open source code security. Over the last three years, Coverity has scanned hundreds of open source projects and has helped to eliminate over 8,500 defects.

Though the original mandate from DHS has already been completed, Coverity is still running the open source code analysis effort. The code scanning effort in some way serves to highlight the value of Coverity’s code analysis software which it also sells to commercial vendors. The new architecture analyzer similarly will have a commercial license that Coverity will aim to sell as well.

Maxwell noted that it is still Coverity’s intention to keep on scanning open source, even without government support.

“It is true that the DHS contract has come to an end and we’re contemplating whether there are other funding sources or partnerships out there to help us to serve as many projects as we can,” Maxwell said. But Coverity is continuing with the effort in the absence of a government grant.”

The 2,500 open source software application architecture maps can be found today at: http://scan.coverity.com/arch/

News Around the Web