Coverity Report Finds OSS Bug Density Down Since 2006 79
eldavojohn writes "In 2008, static analysis company Coverity analyzed security issues in open source applications. Their recent study of 11.5 billion lines of open source code reveal that between 2006 and 2009 static analysis defect density is down in open source. The numbers say that open source defects have dropped from one in 3,333 lines of code to one in 4,000 lines of code. If you enter some basic information, you can get the complimentary report that has more analysis and puts three projects at the top tier in quality of the 280 open source projects: Samba, tor, OpenPAM, and Ruby. While Coverity has developed automated error checking for Linux, their static analysis seems to be indifferent toward open source."
Re:Wonder when MS, IBM and others will publish? (Score:2, Informative)
Actually the topic is the subject of research and the blog below quotes some book that says Microsoft is at 1/2000 lines of code.
http://amartester.blogspot.com/2007/04/bugs-per-lines-of-code.html
Of course, these studies try to assess the number of defects that have not been found yet... So the numbers are to take with a grain of salt, but apparently testing the software before delivery gets 90% of the bugs.
The Coverity report is likely based on what the tool says, so you need a grain of salt for that too.
The trend is probably what matters most. This stuff is really about improving your code, finding what's wrong, checking that you are making progress and trying hard enough.
Re:Umm yeah (Score:3, Informative)
Isn't 4000 lines/code a second 4 kHz, not GHz, if we're using Hz to measure the frequency of line-processing?
Re:Umm yeah (Score:5, Informative)
At 4000 lines of code every second (e.g. 4GHz) you are looking at 33.2 years to check that much code.
GHz = 1 billion cycles per second. You're only about 6 orders of magnitude off.
Re:Survivorship bias (Score:1, Informative)
Old projects doesn't necessarily mean old code. Currently, on average each day the linux kernel adds 13K lines, deletes 5K lines, and changes 2.8K lines. Over a year, that works out to roughly 4.5M lines, 2M lines, and 1M lines.
For a project with roughly 12M lines of code, that's a pretty significant amount of churn.
Re:Fixing issues improves code... (Score:2, Informative)
If you fix the issues, Coverity moves the project to a new rung and performs stricter analysis to find more types of errors.