A new study by code analysis firm Klocwork has discovered new flaws in open source programs that previous scans by a Department of Homeland Security-sponsored study did not.
Apparently, the open source projects in question were notified by Klocwork of their results, but at least one open source vendor disputes the claim.
Klocwork, which this week released its Klocwork K7.1 automated defect and vulnerability source code scanner, ran its application against the Amanda 2.5, Samba 3.0.23, and XMMS 1.2.10 open source projects.
The scan apparently found hundreds of defects and vulnerabilities in the three projects they analyzed.
“Interestingly, our analysis was a follow-on to the use of another static analysis tool,” Klocwork Product Marketing Manager Brendan Harrison wrote in an unpublished blog posting sent to internetnews.com.
“The first analysis had been undertaken as part of a U.S. Department of Homeland Security initiative to analyze open source code. Despite the internal testing as well as the first static analysis that had identified numerous defects, we found there were still more bugs lurking in the code bases.”
Harrison explained to internetnews.com that the analysis was against code that Coverity reported as having zero defects.
Within that code, Klocwork found a variety of defect types that can be summarized in the following high-level categories: NULL Pointer Deference Issues, Usage of Freed Memory Issues, Array Bounds Violations (which can also be Buffer Overflows depending on the situation), Unvalidated Data Issues and Injection Flaws.
The “first” analysis that Klockwork is referring to is being completed by source code analysis firm Coverity under the auspices of a DHS grant.
Some of the initial results of the study showed that LAMP (Linux/Apache/MySQL, PHP/Perl/Python) code quality was higher than a baseline of 32 open source projects.
Ben Chelf, Coverity’s CTO, disputed Klocwork’s claims about the Coverity results.
“They mentioned that another vendor claimed that the code was defect-free and we think that is a misrepresentation,” he told internetnews.com.
“We never claimed that we find all the defects in a particular piece of software, our source code analysis finds an awful lot of defects and has a low false positive rate.”
Chelf admitted that he was unaware of the specifics of the Klocwork scan, its methodology or its interaction with the open source communities whose code was scanned.
A Klocwork spokesperson told internetnews.com that Klocwork submitted all of its findings to the open source projects to help them correct the errors. The spokesperson noted that the Samba project provided a quote for the release, and were very eager to fix the defects.
Zmanda, which is a corporate sponsor for the Amanda project and leads its technical development, said it was not contacted by Klocwork.