COVERITY, which offers software integrity scanning services, released its latest report on open source projects' code quality today.
It details the results of years worth of studies, talks with the community, and collaboration with the US Department of Homeland Security. The good news is that open sauce quality is steadily getting better.
Running since 2006, Coverity Scan has analysed over 60 million lines of code on a recurring basis from more than 280 popular open source projects like Firefox, Linux and PHP - some 26,181 individual project analysis runs.
It found that overall the quality of open source code has been improving, thanks in part to programmers referring to previous scan results and acting accordingly. More than 11,200 defects discovered in open source programs have been eliminated as a result of using its Scan website since 2006, Coverity said.
Developers who want to check the integrity of their code can submit it to the Coverity static scan and wait for the results. In 2006 the scan found roughly one defect per 3,333 lines of code, while this year the metric has improved by 20 per cent to approximately one defect per 4,000 lines of code.
Using a static scan makes it easier to repeat the same studies in the same environment, according to Coverity.
Results are reported using a 'scan ladder' to apply a scale of integrity to code and award a position on higher rungs to improving projects.
There are three rungs - 36 of the projects scanned are on Rung 2 and 144 projects are on Rung 1. The highest rung, Rung 3, contains just four projects - Samba, TOR, OpenPAM, and Ruby. The company described these as "outstanding examples of high-integrity software," and applauded them for their nightly builds, continuous integration, unit tests, and regression tests.
Common coding mistakes still persist and Coverity said that these were NULL pointer deferences, which appeared in almost a third of all programs, resource leaks, and unintentionally ignored expressions. µ