The Coverity Scan Project Spotlight has analyzed the security defects detected by its open source software scanning service. In conjunction with the release of the report, the company has announced that it would also enhance its scan service to include a security advisor solution to the service so projects can now find critical Open Web Application Security Project (OWASP) Top 10 issues.
The service has also been expanded to include C# open source projects.
Recent high-profile vulnerabilities in open source code include Shellshock, the OpenSSL Heartbleed, and GoToFail vulnerabilities. This project identifies several common defects and exposures (CVEs) in open source code, and identifies that the GoToFail vulnerability could have been detected in this scan.
With this announcement, the company is arguing hard to tell us that it is enabling Java developers to find and fix security issues in their software code, including all of the OWASP Top 10 and other web application security issues.
The OWASP Top 10 presents the most critical threat to open source code. The scan in question here has been able to detect web application security defects in Java, the service has identified 688 OWASP Top 10 issues in 37 open source projects, including big data, network management, and blog server projects.
The following are the specific number of OWASP Top 10 issues found:
The firm's scan service has analyzed several hundreds of millions of lines of code from more than 1,500 open source projects — including C/C++ projects such as NetBSD, FreeBSD, LibreOffice and Linux, and Java projects such as Apache Hadoop, HBase, and Cassandra. The scan service has helped developers find and fix more than 94,000 defects since 2006. Nearly 50,000 defects were fixed in 2013 alone — the largest single number of defects fixed in a single year.