The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analysed, Coverity, a maker of code analysis tools, announced Monday.

The U.S. Department of Homeland Security awarded US$1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. The funding, announced in January, is for a three-year "Open Source Hardening Project."

LAMP includes the Linux operating system, Apache Web server, MySQL database and a scripting language--PHP, Perl or Python. It has been pushing its way into mainstream corporate computing, a rival to Java and Microsoft's .Net.

In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, "showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.

There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said.

Of the other open-source projects scanned, Coverity found that the Amanda back-up tool had the highest number of bugs per 1,000 lines of code, with a bug density of 1.237. The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

In absolute numbers, most defects were found in X, the low-level graphical interface software for Linux and Unix. Coverity found 1,681 defects in X, it said. With only six defects, XMMS also scored best in absolute numbers.

Coverity's analysis looked for 40 of the most critical security vulnerabilities and coding mistakes in software code. The company did not give details on the scope of the flaws it found. The analysis can't be used to measure the security of open source code next to that of proprietary code because that code is not available for scanning.

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?