Electronic design automation company Synopsys released the findings of its 2017 Coverity Scan Report, which shows an increased of “project maturity” in the over 4,600 open source software projects analyzed based on certain secure development strategies.
The 20-page report outlines Synopsys’s method of gathering user-submitted projects, encompassing approximately 760 million lines of code, and analyzing them for such practices. These are things like running a continuous integration/continuous distribution (CI/CD) deployment, triage of identified defects, providing models that help to reduce false positives and configuring component maps, which marks different parts of a project so that developers can better tell where bugs in their code live.
Some 2,500 of the over 4,600 projects have been triaged since the beginning of last year according to the report. This shows project maturity, according to Synopsys, because static analysis “is not foolproof and requires developers with intimate knowledge of the codebase to verify identified defects.”
Though only about a third of submitted projects provided modeling to avoid false positives, not all would require it, and Synopsys determined that around 90% of detections by Coverity Scan were actionable.
The final metric, of whether component maps were implemented, showed that 3,216 projects made use of the configurations, which can show developers which parts of their code are affected by defects.
“Due to the ubiquity of open source and the vital role it plays in virtually all types of software, understanding and managing its risks can no longer be optional,” Andreas Kuehlmann, senior vice president and general manager of the Synopsys Software Integrity Group. “The Coverity Scan Report highlights the progress of some of the most mature and widely used open source projects, and it provides invaluable insights for the broader software community that depends on the integrity of open source.”
Beyond measures of project maturity, the Coverity Scan Report showed that the commercial and open-source software ecosystems are converging rapidly. “According to some of the largest commercial users of Coverity, software shipped to customers can contain up to 90% open source code. In addition, there are now companies founded entirely on OSS proving that OSS is now the norm,” Synopsys says.
Though Coverity Scan has traditionally used a metric of code defect density to score projects at the end of a scan, Synopsys is aiming towards finding other metrics that could help determine the health and maturity of an open source codebase, such as meeting certain technical criteria a la CII’s Census Project, or by gathering data about a project’s development community and users.
“It is becoming crucial to be able to assess risks associated with the consumption of OSS,” the report concludes. “The potential to provide a holistic view of software risk and maturity by combining information from multiple dimensions will be essential as OSS becomes ever more pervasive in technology.”