Coverity reveals common open-source code flaws

Summary:A US Department of Homeland Security-funded project has listed some of the most frequent open-source coding errors

A project funded by the US Department of Homeland Security has praised improvements in open-source security, while outlining some common errors.

Coverity, a commercial code-analysis company spun out of Stanford University, has been running its Scan project with Department of Homeland Security funding since 2006.

On Tuesday, Coverity released its Open Source Report, which gives results of bugs in more than 250 open-source projects. Coverity declined to give details of individual projects' faults, but instead gave a list of frequent coding errors.

Coverity did single out some projects for particular praise due to the cleanliness of the code, including Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python and Samba.

The most common type of code defect, accounting for 28 percent of all the defects found, was the NULL pointer dereference, as the use of pointers in C/C++ is error-prone, according to Coverity.

"This type of error often occurs when one code path initialises a pointer before its use, but another code path bypasses the initialisation process," stated the report. "Pointers are a notoriously challenging programming concept that many languages elide altogether (eg, Java). Senior developers know that new programmers frequently have trouble understanding pointers."

Because pointers are often used to pass data structures by reference between pieces of program logic, they may be the most commonly manipulated data objects due to repeated copying, aliasing and accessing. Therefore, it is not surprising that the most frequently used artefacts will incur the most errors in manipulation, said Coverity.

The second most common type of code defect are resource leaks. While some resource leaks are pointer-related, others may be the result of misusing an application programming interface (API), said Coverity.

Other common code defects include unintentional ignored expressions, use before test and buffer overflow vulnerabilities.

Topics: Apps, Software Development


Tom is a technology reporter for, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.