Coverity: open source and proprietary code are equal

Across the broad software market, Coverity believes that open source code and proprietary code are equal in terms of quality.

In 2006, the United States Department of Homeland Security signed a partnership with Coverity to undertake a project which would evaluate the integrity of open source code. Today, the project is held and managed uniquely by Coverity.

Present in the software testing market, Coverity offers a static code analysis solution (Coverity Static Analysis), which is notably used by the National Security Agency for Information Systems (Anssi).

Coverity has now published a study (PDF) which for the first time takes into account proprietary code. In addition to the 37 million lines of open source code, 300 million lines of proprietary code have been included in the study following their analysis by Coverity Static Analysis. Proprietary client’s names have not been revealed.

After examining 45 major open source projects and some 820 000 lines of code, Coverity reports an average error density of 0.45 for every 1000 lines of code.

For 41 proprietary projects and 7.5 million lines of codes, the error rate recorded is 0.64 errors in every 1000 lines of code. The quality of open source code is therefore at least the equal of proprietary code, with it at times being even better.

In their conclusions, Coverity states that the quality of the open source and proprietary code is equal, particularly when the codebase is of a similar size. "For example, Linux 2.6 is a project with close to 7 million lines of code, and a default density of 0.62 which is almost identical to that of equivalent proprietary products".

Besides Linux 2.6, projects like PHP 5.3 and PostgreSQL stand out for their excellent code quality, with the company stating their programmers are "model citizens" (notably for their use of a static code analyser).