“The line between open source and proprietary software will continue to blur over time as open source is further cemented in the modern software supply chain,” noted Zack Samocha, Coverity’s project director for the Scan project.
Searching for Defects
Originally launched by Coverity along with the U.S. Department of Homeland Security in 2006, the Scan project is the largest public-private sector research effort focused on open source software integrity, Coverity says.
Included in this year’s analysis were more than 37 million lines of open source software code and more than 300 million lines of proprietary software code from a sample of anonymous Coverity users.
To conduct its analysis, Coverity used a testing platform that was upgraded this year with the ability to find more new and existing types of defects in software code, the company says.
Linux 2.6 Stands Out
Among Coverity’s findings was that in proprietary codebases, which averaged 7.5 million lines of code in size, the average number of defects per thousand lines of code was .64.
That may sound pretty small, but in open source software the figure was even smaller. Specifically, with an average open source project size of 832,000 lines of code, the average defect density was .45 defects per thousand lines of code.
Where codebases were of similar size, open source code quality was pretty much on par with proprietary code quality, Coverity found. Linux 2.6, for example–a project with nearly 7 million lines of code–had a defect density of .62, which is still slightly better than that of its proprietary codebase counterparts.
Among open source projects, Linux 2.6, PHP 5.3, and PostgreSQL 9.1 can be used as industry benchmarks, the company said, with defect densities of .62, .20, and .21, respectively.