Coverity Adds Java Support to OSS Scan Service

San Francisco-based Coverity Inc. has expanded its static source-code analysis scanning solution. The solution now supports Java-based open source software (OSS) projects. Developers can check their OSS Java applications for free using Coverity's hosted solution. The solution scans applications and points out security and quality problems in the code without actually running the tested application.

Coverity's scanning site already checks open source applications based on C and C++ code. The site has scanned more than 250 C/C++ solutions, entailing "55 million lines of code," according to an announcement issued by the company. The announcement adds that because of the scans, "more than 7,500 security and quality defects" have been fixed by project administrators.

The new Java code-scanning capability of the site is being enabled, in part, through Coverity's contract with the U.S. Department of Homeland Security. David Maxwell, Coverity's open source strategist, said that Coverity has three-year contract with the government agency. The Coverity solution is tested by Symantec, which also has a contract with the agency, he added.

The Department of Homeland Security issued the contract as part of its security initiatives, Maxwell explained.

"Under their Cybersecurity initiative, they [Department of Homeland Security] have a section which is securing the Internet infrastructure," he said. "A large portion of the Internet is built based on open source software -- when you think of the most popular Web server, it's Apache, and obviously Linux is a very popular operating system for servers. Many of the components of the Internet are open source."

Static source-code analysis is a way of checking code before compiling it. Maxwell said that the technology has been around for a while but that Coverity has enhanced a solution that was originally developed at Stanford University. Static source-code analysis complements unit testing and quality assurance efforts because you check the code before running it.

The standard method of dynamically testing code by compiling it can be cumbersome, especially for large projects. Maxwell said that some standard dynamic testing tools can run for weeks and not exhaust finding possible errors in programs.

The Coverity Prevent SQS engine, which underlies Coverity's scanning site, "analyzes software dependencies, key third-party libraries and projects spread across multiple development groups," according to Coverity's announcement.

Coverity's open source scanning solution is available for free -- although with no support -- to OSS developers as a hosted application. The company also offers licenses to commercial software developers, where companies can purchase training and use the solution with as many developers as wanted, Maxwell said. For the commercial environment, Coverity's solution is installed, not hosted, he added.

Developers can access Coverity's OSS code analysis site here.

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.