Establishing Digital Trust: Don't Sacrifice Security for Convenience
The Department of Homeland Security (DHS) is all about securing American interests. Since January 2006, helping to secure open source software has been one such interest.
Over 18 months and halfway through its three-year sponsored contract from DHS, code scanning vendor Coverity is expanding the effort, with more projects being scanned and more features in the code-scanning product itself.
David Maxwell, the open source strategist for Coverity, told internetnews.com that the effort will add open source Java projects over the next several months. The specific Java projects haven't been selected, but this is the first time that open source Java projects will be analyzed under the DHS contract.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i The Coverity/DHS scanning of the Java project for code defects will not be the first free effort to find bugs in Java code though. FindBugs is doing the same thing in tandem with source code analysis firm Fortify as part of an effort launched last December called the Java Open Review Project (JOR).
"They're definitely complementary [Findbugs] and additional analysis is always useful," Maxwell told internetnews.com. "Though we've taken results from FindBugs before and we've found issues that they did not."
Coverity is also overhauling both the interface and functionality that open source projects get to use. The new interface is intended to help facilitate better control over code defect investigation as well as additional reporting features.
The defect scanning engine is being updated to a newer version of Coverity's commercial Prevent technology. Maxwell explained that when the DHS effort was first set up it used the most up-to-date version then available.
"But in the meantime, commercial version has had a lot of developments and the DHS version hasn't until now," Maxwell admitted.
The new version adds a barrage of new code checkers as well as improvements to existing checkers. Coverity expects to move scanned projects over to the new engine in a staged manner in the coming weeks.