Coverity reveals common open-source code flaws

A project funded by the US Department of Homeland Security has praised improvements in open-source security, while outlining some common errors.

Coverity, a commercial code-analysis company spun out of Stanford University, has been running its Scan project with Department of Homeland Security funding since 2006.

On Tuesday, Coverity released its Open Source Report, which gives results of bugs in more than 250 open-source projects. Coverity declined to give details of individual projects' faults, but instead gave a list of frequent coding errors.

Coverity did single out some projects for particular praise due to the cleanliness of the code, including Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python and Samba.

The most common type of code defect, accounting for 28 percent of all the defects found, was the NULL pointer dereference, as the use of pointers in C/C++ is error-prone, according to Coverity.

"This type of error often occurs when one code path initialises a pointer before its use, but another code path bypasses the initialisation process," stated the report. "Pointers are a notoriously challenging programming concept that many languages elide altogether (eg, Java). Senior developers know that new programmers frequently have trouble understanding pointers."

Because pointers are often used to pass data structures by reference between pieces of program logic, they may be the most commonly manipulated data objects due to repeated copying, aliasing and accessing. Therefore, it is not surprising that the most frequently used artefacts will incur the most errors in manipulation, said Coverity.

The second most common type of code defect are resource leaks. While some resource leaks are pointer-related, others may be the result of misusing an application programming interface (API), said Coverity.

Other common code defects include unintentional ignored expressions, use before test and buffer overflow vulnerabilities.