Examining open source security and the road ahead in the 2017 Coverity Scan Report
The 2017 Coverity Scan report examines OSS project risk, initiatives form the Linux Foundation, and the future of open source software. Learn more.
Coverity Scan’s impact on open source software (OSS) is both extensive and largely unacknowledged. Since its inception, Scan has enabled developers to fix over 600,000 defects across some of the most important projects in open source. As part of that effort, it has also helped improve the maturity of the software development practices of active OSS contributors by supporting the continuous integration of analysis results and the accurate identification of discovered issues.
What about false positives?
The effectiveness of Scan’s static analysis is reflected in the low false-positive rate of under 10% over 700 million lines of code currently managed by scan. Given the modest number of developers versus the relative size of the individual source codebases, Scan is proof that only a few developers are required to make a significant improvement to the entire OSS ecosystem. the accuracy of our results translates directly into actionable developer guidance.
Translating accuracy into actionable developer guidance
Approaching project maturity from the perspective of static analysis leads us to measure improvements to OSS projects using the metric of defect density. While this provides some useful information regarding improvements in the quality of code, it is far from complete. From a broader perspective of maturity, we need to consider additional metrics.
The 2017 Coverity Scan Report discusses various aspects of the community and projects related to Scan. It highlights both the contribution Scan has made to the maturity of the development practices of OSS projects and the impact it has had on the quality of the OSS ecosystem. It additionally examines historical perspectives regarding the use of defect density as the sole measure of quality.
Within this report, we’ll expand on the perspective required to measures OSS project risk and examine initiatives from the Linux Foundation that may potentially be incorporated into Scan to provide a holistic view of a project.
It is becoming crucial to be able to assess risks associated with the consumption of OSS. The potential to provide a holistic view of software risk and maturity by combining information from multiple dimensions will be essential as OSS becomes ever more pervasive in technology.
Highlights from the 2017 Coverity Scan Report
The Coverity Scan Report includes analysis of approximately 760 million lines of open source code across several languages, including C/C++, C#, Java, JavaScript, Ruby, PHP, and Python. From these findings, we deduced that:
- Active projects within Scan show significant adoption of secure software development practices.
- The adoption of CI/CD and remediation of actionable defects by developers highlight the value of static analysis to the OSS ecosystem.
- Software shipped to customers can contain up to 90% open source code and some new companies have been founded entirely on OSS—proving that OSS is now the norm.
