Coverity: Scanning Open Source Code

Coverity's new open source code scanning solution has worked to eliminate thousands of problems in open source software.

The process of software development is one with multiple layers. At the base layer is the code which developers write, which is then compiled by the build system that puts the code together so it is ready for deployment. Code analysis vendor Coverity is now expanding its analysis beyond just the static code layer to include the sometimes overlooked build system.

The new type of analysis could potentially help to reduce software defects across a wide array of applications. Coverity's new system will first be made available to its commercial clients but will also find its way to Coverity's open source scanning effort that has helped to eliminate over 8,500 software defects from open source software.

"The build system is essentially the assembly line for code," Ben Chelf, CTO of Coverity, told "It takes all the pieces that developers write and puts them together. By analyzing the build system you're going to find different things than what you'd find just by analyzing the code itself."

Chelf explained that the way the Build Analysis software works is by watching how the software is built, as opposed to parsing the actual build configuration files themselves.

"What we do is we the make the observation that every build system has to make calls into the operating system and execute processes and all this information can be observed," Chelf explained. "So we have over 80 different system calls to capture build information and we just have a wrapper script that sits there and watches. From that, can build up complete dependency graph."

One item that was found during beta testing of the Build Analysis solution was repetitive system calls in the build process. In one example, Coverity found that a certain process was unnecessarily being executed 10,000 times.

Open Source Scanning

Coverity has been scanning open source code for software defects since 2006. Originally, the Coverity Scan effort was backed by the Department of Homeland Security, but it is currently being run and financially supported by Coverity itself. The Coverity Scan effort looks at several hundred open source projects in an effort to help find and fix software defects.

Chelf noted that the plan is to add the Build Analyzer to the open source scan effort soon, though he did not provide specific timing.

"It's on our roadmap for open source scanning," Chelf said. "It's just a matter of checking it off the list."

Chelf argued that the Coverity Build Analysis system is unique in the code analysis marketplace. That claim aside, Coverity competitor Klocwork claims that they too can now do build system analysis of a sort.

"Currently most of our build analysis technology is used to provide automated discovery of a customer's build system in order to run effective, accurate code analysis," Brendan Harrison, Klocwork's director of marketing told "This is a must-have capability for deep static code analysis. In addition we've had numerous customers in the past use our analysis capabilities to optimize their build times through structural clean-up of their code."

Protecting Against Open Source Vulnerabilities

The Coverity Build System also enables developers to insure that they are not unintentionally including vulnerable open source code into their builds by way of integration with code licensing analysis vendor Palamida.

Chelf explained that in partnership with Palamida's software, a developer can examine the entire build process to identify if any vulnerable open source code is being used. Palamida maintains a database of up to date open source libraries and applications and can identify if an older, potentially vulnerable version of a given piece of open source code is being used.

The new code analysis from Coverity is complemented by the new Coverity Integrity Center product, which aims to tie in all the various pieces of code analysis to provide developers with a full view of what's going on. In addition to Coverity's Prevent code analysis, which performs static code analysis and the new Build Analysis, Integrity Center also pulls in the Architecture Analyzer, which was rolled out earlier this year.

"There are different ways to analyze software systems, from an architecture perspective from a build perspective and from a code perspective," Chelf said. "You've got to analyze in as many ways as possible. All of these different perspectives enable us to find defects in different and interesting ways."

Article courtesy of

Comment and Contribute


(Maximum characters: 1200). You have characters left.