This report is the result of the largest public-private sector research project focused on open source software integrity, originally initiated between Coverity and the U.S. Department of Homeland Security in 2006. The results from the 2010 edition of the Coverity Scan Open Source Integrity Report detail the findings of analyzing more than 61 million lines of open source code from 291 popular and widely-used open source projects such as Android, Linux, Apache, Samba and PHP, among others. The Coverity Scan service uses Coverity Static Analysis to automatically test open source code submitted by the open source community, and the report is the summary of findings from this analysis. Highlights from the Coverity Scan 2010 Open Source Integrity Report include:
The Android kernel tested by Coverity revealed 359 software defects, which is a sample of what might be shipping in popular mobile and other Android-based devices.
25 percent of the Android defects found are high risk with the potential to cause security breaches and crashes.
Nearly half of the defects discovered in open source projects by Coverity Scan are classified as high risk.
The high risk defects discovered in Android and other open source projects are the types typically eliminated by Coverity customers before shipping products.
Common defects found in open source code continue to be flaws such as memory corruptions, NULL pointer dereferences, and resource leaks, which can cause system crashes and security vulnerabilities in products.