When the Black Duck Team invited me to write a guest blog about the state of open source quality based on findings from our free Coverity Scan Service I jumped at the chance. Coverity, like Black Duck, is committed to supporting the open source community.
One of our long-term partners in the open source community is Samba, the standard Windows interoperability suite of programs for Linux and Unix. When Samba joined our Scan service in 2006, they fixed all 216 of the defects we found in less than two weeks and have fixed close to 2,000 defects since then. Today, they boast a defect density rate (number of defects per thousand lines of code) of .59, which is lower than the defect density rate in in like size commercial and open source projects.
Benchmarking the defect density of open source projects versus like size commercial projects is something we cover in our annual Scan report. In the 2012 report, we analyzed more than 68 million lines of unique code and found that the trend continued — that open source code was of higher quality than proprietary code, up to one million lines of code. The average defect density across projects was .69 and the top defects fixed in the program were control flow issues, null pointer dereferences and resource leaks.
Coverity Scan was initiated in 2006 with the U.S. Department of Homeland Security, and Coverity now manages the service, which supports more than 400 projects today including Linux, Postgres and Apache. We provide our development testing technology as a free service to the open source community to help them build quality and security into their software development process – more than 20,000 defects identified by the Coverity Scan service were fixed by open source developers in 2012 alone.