Printer Friendly
The Free Library
19,607,059 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

DHS report: Open-source code "quality" is up


A U.S. Department of Homeland Security-sponsored project has not only discovered that the quality of open source software code has improved significantly over the past two years, it has debunked a widely held assumption that longer function strings within source code are associated with an increased number of code defects.

The findings come as part of an ongoing three-year, $300,000 project between the DHS DHS Department of Homeland Security (USA)
DHS Department of Human Services
DHS Department of Health Services
DHS Demographic and Health Surveys
DHS Dirhams (Morocco national currency)  and source-code analysis vendor Coverity designed to help open-source software developers find and fix vulnerabilities in their projects. To date, the project has analyzed more than 55 million lines of code The statements and instructions that a programmer writes when creating a program. One line of this "source code" may generate one machine instruction or several depending on the programming language. A line of code in assembly language is typically turned into one machine instruction.  from more than 250 open source projects.

One of the notable conclusions from the scanning project was the 16 percent average drop in the number, or density, of defects detected in open-source projects, David Maxwell David Maxwell may refer to:
  • David Maxwell (academic)
  • David Maxwell Fyfe, 1st Earl of Kilmuir
  • David Maxwell (rower)
  • David Farrow Maxwell
, Coverity's open-source strategist strat·e·gist  
n.
One who is skilled in strategy.

Noun 1. strategist - an expert in strategy (especially in warfare)
strategian

market strategist - someone skilled in planning marketing campaigns , told SCMagazineUS.com. While the initial average static analysis in defect density (programming) defect density - The ratio of the number of defects to program length.  in 2006 was 0.30, or roughly one defect per 3,333 lines of code, the current scan shows a 0.25 rate, or roughly one defect per 4,000 lines of code.

Another point was the debunking de·bunk  
tr.v. de·bunked, de·bunk·ing, de·bunks
To expose or ridicule the falseness, sham, or exaggerated claims of: debunk a supposed miracle drug.  of programmers' long-held assumption that writing longer functions, or code strings, just naturally leads to a greater number of defects.

"We found those to not be correlated," Maxwell said. "That goes against common expectations. A lot of programmers feel that longer functions contain more defects not only because it's more lines of code, but because it's more difficult to write good code as functions become longer. That seems to not be the case, and contradicts popular beliefs."

The project deflated de·flate  
v. de·flat·ed, de·flat·ing, de·flates

v.tr.
1.
a. To release contained air or gas from.

b. To collapse by releasing contained air or gas.

2.  yet another theory, as well: the bigger the software development project, the higher proportion of coding errors it contains.

"Another interesting comparison was the relationship between code base size [the number of lines of code] and the number of defects identified,” Maxwell said. "We found there's almost a 72 percent correlation between those numbers."

He said bigger projects contain more defects, but many programmers believe that as a project gets larger, the rate of defects increases -- that size not only introduces more defects, but they'll be introduced exponentially ex·po·nen·tial  
adj.
1. Of or relating to an exponent.

2. Mathematics
a. Containing, involving, or expressed as an exponent.

b. .

"Our analysis, however, shows the growth appears to be linear," Maxwell said.

The most common type of code defect among the 13 billion combined lines of code analyzed so far are null-point references, which made up 28 percent of those found. Resource leaks comprised 26 percent.

Both could cause security vulnerabilities in an open-source project, Maxwell said. They could cause an application to crash or a denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. , among other problems.

Conversely, dynamic buffer overruns and unsafe use of negative values made up a mere 0.3 and 0.2 percent of the defects uncovered.

Coverity uses its Prevent static-analysis software to analyze the source code of each program in the project.
Copyright 2008 SC Magazine
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright (c) Mochila, Inc.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Author:Jim Carr
Publication:SC Magazine
Date:May 20, 2008
Words:457
Previous Article:Debian random key generator flaw could persist
Next Article:Patient health care data at risk, study



Related Articles
OSI FORMED TO DRIVE OPEN SOURCE MESSAGE, TRADEMARK.
LINUX GUIs KDE & GNOME TOAST RELEASES.
LINUX USER INTERFACE GNOME 1.0 A WIN FOR FREE SOFTWARE.
NOW THAT KDE IS OPEN SOURCE, WHAT'S NEXT FOR GNOME?
Open Architecture Opportunity: Open-source software components are fueling a new reseller's market, customized enterprise software for smaller...
Mortgage Builder installs Linux-based LOS. (Tech Newz).
Small but mighty: a rural Pennsylvania hospital becomes the epitome of efficiency with IT.
OPEN MPI PROJECT/COVERTY TO ACCELERATE COMPUTING RESEARCH.

Terms of use | Copyright © 2012 Farlex, Inc. | Feedback | For webmasters | Submit articles