Coverity Scan Gets Better with Java, Apache Hadoop, HBase and Cassandra Support
Coverity, software quality and security testing solutions provider, recently released its 2013 open source scan report, which currently verifies more than 1,500 projects and has 3,500 users as of March 2014.
The company added Java support in May 2013, and since that time more than 100 new projects have joined the service including Big Data projects such as Apache Hadoop, HBase, and Cassandra, as well as other well-known Java projects like Hudson server and Eclipse Code Recommender. Coverity also joined the Eclipse Foundation and created a Coverity Scan Hudson plugin that integrates with projects hosted by the foundation.
The report further states that almost 50,000 defects were fixed in 2013 which was more than the amount of defects fixed in the entire history of the service.
Coverity scan report includes an indication of defect density by project size. In 2013, the overall defect density for C and C++ projects was lower than in 2012 for all but one level - the 500,000-1 million lines of code grouping, where they had a substantial influx of new projects. It also shows that defect density for open source projects was lower than that of proprietary code at every level.
According to scan results, the overall defect density of Java projects was 2.72 which is significantly higher than .59 density of C/C++ projects.
First, the analysis algorithms for Java and C/C++ differ. The analysis we provide for the Scan service includes the popular FindBugs checkers, which are very useful. Many of the FindBugs checkers generate large quantities of results, in particular in the areas of dodgy code, performance and bad practices. Another factor to consider when assessing the defect density of the Java programs is the length of time the Scan service has been available to the projects. It is not uncommon to see higher defect density rates in the early stages of a project’s participation in the service, followed by a reduction in the defect density over time.
Working in association with Linux, Coverity scan service has verified over 8,578,254 lines of code in version 3.12, which was higher than previous year figures. It also rectified 3,346 issues besides identifying 3,299 potential defects, which are lower when compared with 2012 estimates besides fixing fixed few control flow, integer handling and error handling issues in Linux besides rectifying memory corruptions, resource leaks and API usage errors.
The Linux kernel continues to improve in quality each year. In 2011, it had a defect density of .95, which dropped to .76 in 2012 and is now .61. This change is testament to the team's commitment to quality.
“The Coverity platform finds critical issues such as buffer overflows, null pointer dereferences, concurrency issues and resource leaks, as well as many other types of issues which cannot be found by C/C++/Java compilers,” said Zack Samocha, Senior Director of Products and SaaS at Coverity.
InfoQ had a chat with Samocha to know more information about the scan service.
InfoQ: Can you share with us the purpose of Coverity Scan?
In 2006, the Coverity Scan service was initiated with the U.S. Dept. of Homeland Security as a public-private research project, focused on open source software quality and security. We now manage the project, providing our development testing technology as a free service to the open source community to help them build quality and service into their software development process. If you’d like additional detail regarding the history of the scan service, you might be interested in this blog post we recently published: Coverity Scan and the DHS.
InfoQ: In your report, it is mentioned that 50,000 defects were fixed in 2013. Can you point out few examples of defects?
The 2013 report contains information about a number of issues found and fixed in C, C++ and Java projects. An example of an interprocedural null dereference that was fixed follows. This particular defect occurs when a potentially null object is passed to a method that unconditionally dereferences it. In the following image, we see that “g” is compared against null on line 115, indicating that the developer expects that it might be null. If “g” is actually null, it will be passed to the getStateString() method on line 116, which will throw a NullPointerException on line 133.
InfoQ: How do you see the future of Coverity Scan service?
We have experienced high growth in both the number of projects and number of developers using the Coverity Scan service over the past year. So our primary focus is to continue to scale the service and continue to provide easy access to our proven development testing technology for the open source community. We will also continue to invest in integrations with the open source ecosystem , e.g. GitHub, Travis and other environments. We also plan to introduce more functionality to the service, such as support for .NET Framework, as well as access to additional products in our development testing platform.
Coverity scan service is currently used by some major open-source C/C++ projects including NetBSD, FreeBSD, LibreOffice and Linux, who between them fixed more than 11,000 defects in 2013.
Boris Lublinsky Nov 20, 2014
Shannon Ewan & Ahmed Sidky Nov 19, 2014