Open Source Integrity Report - 2011

Coverity Scan is the largest public-private sector research project in the world focused on open
source integrity, originally initiated in 2006 with the U.S. Department of Homeland Security. Coverity has worked with over 300 of the most widely adopted open source projects over the past
five years—including Linux, PHP, Apache, Firefox, and Android—to automatically scan, or test, their software code during development.

The 2011 Coverity Scan included an examination of proprietary code, including a sample of over 300 million lines of code from 41 proprietary codebases of anonymous Coverity users to see what comparisons we could draw between open source and commercial projects that have adopted static analysis. These codebases represent a variety of industries and span a comparable length of adoption time as open source, from less than one year to over five years. To make the data uniform, they selected only proprietary codebases from users who provided Coverity with a detailed breakdown that allowed them to compute defect density for high- and medium-impact defects. They used data from 43 customers, spanning multiple verticals and codebase sizes.

Analysis of the 2011 Coverity Scan led to a key set set of findings that include:

  • Proprietary codebases that leverage automated testing such as static analysis have quality above average for the software industry.
  • Open source quality is on par with proprietary code quality, particularly in cases where codebases are of similar size.

To read the full Open Source Integrity Report for 2011, go to the Coverity Scan Site.