Sanford and Coverity: Getting the bugs out of open-source software

By Janine de Blois

In January 2006 funding totalling $1.24 million was announced, provided by the U.S. Department of Homeland Security (DHS), for the “Vulnerability Discovery and Remediation Open Source Hardening Project “-alternately known as the “Scan Project“.

Working on the project are Stanford University, Coverity, and Systematic. The 3 year grant is divided among Stanford University ($841,276), Coverity $297,000, and Symantec ($100,000).

Coverity was founded in 2002 by leading Stanford University scientists whose four-year research project resulted in the technology which enables the automatic scanning of code to find defects and vulnerabilities, with few false positives.

Systematic’s role is to provide feedback from a commercial software developer’s perspective. The object is to develop deep automatic scanning of open source code, which has become integrated into the infrastructure and is critical to the government, private, and voluntary
sectors.

About to begin its third year of the Scan Project, Coverity announced Rung 2 on the 8th of January. During Rung 1 open source project maintainers have fixed more than 7,500 security and quality defects identified by Coverity Prevent SQS (Software Quality System), the technology behind the Scan site.

“This new level on the Scan ladder includes upgraded analysis based on a more recent version of Coverity Prevent. Eleven diligent projects which had resolved all of the defects identified at Rung 1 are the first projects to be upgraded to Rung 2. Those projects are Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL” -David Maxwell, Coverity.

Scan has been evaluating C and C++ projects which can be viewed on the Scan site. In November it began accepting projects in Java on a first come first serve basis.