Home » post » DHS-sponsored audit: number of OSS code defects dropping

Our mission

Free Government Information (FGI) is a place for initiating dialogue and building consensus among the various players (libraries, government agencies, non-profit organizations, researchers, journalists, etc.) who have a stake in the preservation of and perpetual free access to government information. FGI promotes free government information through collaboration, education, advocacy and research.

DHS-sponsored audit: number of OSS code defects dropping

Coverity, in collaboration with Stanford University and under contract from the Department of Homeland Security (DHS), has just released their Open Source Report 2008 (PDF). Their environmental scan of major open source projects found that the number of defects in open source code is dramatically dropping! More detail is available on ArsTechnica.

Now that we have definitive data that shows that open source software is strong on security, how can we get libraries to participate more readily on collaborative open source projects (like citation management, ILSs, CMSs…)? I’m reminded of a thought experiment posted by Joe Lucia, University Librarian @ Villanova University, in November 2007 on the NewGenCatalog list. In his post, Mr. Lucia called for a “shift of those investments from commercial software support (and staff technical support for commercial products) to a collaborative support environment for open source applications.” Come on folks, let’s make this shift happen!

In 2006, Coverity’s scan detected an average of 0.30 defects per 1,000 lines of code, or, put differently, one code defects per every 3,333 lines. The lower boundary, in this case, was 0.02 (one defect per 50,000 lines) and the upper boundary was 1.22 defects per thousand lines of code.

Two years later, the average defect density has fallen to 0.25, or one error per 4,000 lines of code. The upper boundary remains unchanged at 1.22, but the lower boundary has shrunk to 0, implying that repeated scanning has eliminated the errors from at least one program—at least all the errors that Coverity’s 2006 static analysis program was able to detect.

A 16 percent reduction in defect density over two years is a notable gain, and Coverity singled out certain participating projects as having an exceptionally low defect density.

  • Postfix
  • Perl
  • PHP
  • Python
  • Samba

CC BY-NC-SA 4.0 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.