Coverity centralizes code defect checkers

Published 15 April 2009

Coverity’s new Integrity Center was created while the company was analyzing 250 open source code projects on a DHS contract

More and more applications use open source, so it is good to read that Coveiry, which was given a $300,000 DHS contract to check security exposures in 250 open source code projects, has combined several code checkers into one system, Coverity Integrity Center. Coverity Integrity Center includes Coverity’s static code-checking system, Prevent, which analyzes code line by line behind the scenes to find security exposures, poor programming practices, and bugs. InformationWeek’s Charles Babcock writes that Prevent has been used to check the code of 250 open source projects on a weekly basis over a two-year period. Some projects had as many bugs as commercial code, an average of one per 1,000 lines, but Prevent found that Linux, Samba, and other leading projects have far fewer code defects than average. Prevent “has got an inhuman eye for detail. It’s like having the most persnickety programmer in the world looking over your shoulder,” Jeremy Allison, lead developer on the Samba project, said told Babcock.

The 2.6 version of the Linux kernel had a defect rate of 0.127 defects per 1,000 lines of code; that version of the kernel had 3.6 million lines. Samba was even lower at 0.024 bugs per 1,000 lines, while the PostgreSQL database project had a 0.041 rate, as reported last May.

Added to Prevent is Coverity’s Build Analysis engine, a new product built into Integrity Center. It examines the newly assembled code produced by a build compilation in the software development process. A build “is the forgotten heartbeat of software development,” said Coverity CTO Ben Chelf, and finding a problem in a build prevents problems further down the road as software goes into production.

In the build process, the compiler sometimes “doesn’t appropriately clean up from a previous effort,” and uses an old software object instead of a newly updated one. The Build Analyzer can detect such a mistake, automating a difficult process for the software developer who has to unravel why his code broke the build. Inspecting the source code line by line would reveal no defect in such a case, Chelf told Babcock in an interview.

Loud failures, where one part of the system does not connect to another, “are pretty straightforward to track down,” said Chelf. Silent failures, such as the hidden, garbage object, are harder to track down, and an automated system relieves the developer of a lot of painstaking searching, he said.

Integrity Center also includes Architecture Analyzer, which compares the structure of the code to the architectural model that was generated for it. It can also analyze code as it executes in a test phase for dynamic analysis, formerly a separate product called Thread Analyzer. Integrity Center analyzes code written in C, C++, or Java.

Coverity’s Integrity Center can be used with application life-cycle management tools, and Coverity has partnered with Electric Cloud’s application project management, AccuRev’s change and configuration management products, and GlobalLogic, a supplier of a distributed agile development platform.

Note that Integrity Center is priced according to the number of lines of code in a project that it will analyze. A 1-million-line project would result in a $100,000 annual charge, or 10 cents a line.

Chelf said the San Francisco company closed its best quarter ever on 31 March. The privately held company doesn’t disclose revenue, but he claimed the growth rate was 47 percent. Customers, in addition to DHS, include France Telecom, Hewlett-Packard (NYSE: HPQ), Intergraph, Juniper Networks (NSDQ: JNPR), Konami, Medtronics, NTT Do Co Mo, NASA, Philips, Raytheon, and Symantec (NSDQ: SYMC).