The service is an outgrowth of its contract with the US Department of Homeland Security’s Vulnerability Discovery and Remediation Open Source Hardening Project, which seeks to make the Internet more secure.
Previously, the invite was out to developers of open source C and C++ code that has been used for everything from appservers to operating systems and embedded code in devices such as routers. The operating notion behind offering free testing to the open source community is that so much of the software on which the Internet runs is open source.
To date, Coverity has put over a hundred open source projects through its gauntlet, identifying roughly 7800 defects. While that sounds like a relatively modest number, it does include some key cornerstones including the Linux OS, Apache web server, Samba networking protocol, Firefox browser, and Postgres database.
By opening the program to Java open source, Coverity expects to reach a wider field, if only because of the fact that Java builds are far easier to contend with compared to C or C++. Whereas C and C++ use a variety of compilers, forcing Coverity to assemble the builds for its testing, Java byte code uses a standard compiler which enables Coverity to accept builds from submitters.
According to Coverity open source strategist David Maxwell, that should greatly ease the process for accepting Java code for testing. All they [submitters] have to do is use the built-in compiler and send the [Java] classes, and we’re set to go.
Coverity’s approach is base on probabilistic techniques developed for hardware testing that cuts the number of execution paths to be tested down to a manageable number. They assemble a Software DNA that maps out the most likely paths for code execution and target testing accordingly.
When the test results come in, Coverity posts them on its site. Finding defects has been relatively easy, but figuring our a way to implement the fixes has been another matter, said Maxell. The determining factor, said Maxwell, depends on whether the submitter’s project owns the source code, or whether their project uses code from other projects.
