Since it was launched nearly two years ago, the U.S. government's Department of Homeland Security "Vulnerability Discovery and Remediation Open Source Hardening Project" has been doing daily security and reliablity audits on more than 250 open source C++ packages representing more than 55 million lines of code.
The lynchpin in the project has been Coverity which, in conjunction with Stanford University and Symantec, performs automated source-code analysis via its scan.coverity.com web site. In its first year of operation, developers fixed an average of 16 defects a day. Many of the new projects are so widely used that a single serious defect could affect millions of people. For example, Coverity added regular scans of zlib, a compression program used in more than 500 applications, including MSN Messenger, Microsoft Office, QuickTime and Apache. Other new projects include FreeRADIUS, a software application that provides secure authentication to 100 million users on the Internet and on business networks. To date, open source project maintainers have fixed more than 7,500 security and quality defects identified by Coverity Prevent SQS (Software Quality System).
But the news of the day is that Coverity has announced that it has now expanded the program to include open source Java-based projects.
"As open source software continues to win mindshare with commercial and government users, code quality and security are ongoing requirements," said David Maxwell, open source strategist for Coverity. "We are eager to share the capabilities of Coverity Prevent SQS with open source Java developers to help further improve the security and quality of their projects."
Coverity Prevent SQS checks 100 percent of the paths and values in C, C++, and Java software projects.