Coverity is the leader in software integrity. Coverity Scan is powered by Coverity’s flagship product, Coverity® Static Analysis, which is the industry’s leading automated source code analysis solution. Coverity offers the results of its analysis for free to participating open source developers.
If you are a member of an open source project, and your project is already listed on the Scan Ladder, read the Developer FAQ then follow the Sign In link beside the entry for your project on the ladder.
If you are a member of an open source project, and your project is not already listed, read the Developer FAQ, then please email scan-admin@coverity.com
The Coverity Scan Initiative was launched on March 6, 2006. In the first year of operation, over 6,000 software defects were fixed by open source developers using the analysis results from the Coverity Scan service. In the first year, 50 open source projects written in C and C++ were included.
On the first-year anniversary, Coverity unveiled the expansion of Scan. More projects were added, and more information was made available for developers and others interested in understanding what the Scan is and how developers use it. A new framework was put into place to help open source developers learn how to use the Coverity Scan results by gradually introducing them to more advanced features of Coverity Static Analysis. Projects that actively use the Coverity Scan results are eligible to move up the ladder and receive access to additional functionality. Finally, within the new framework of the Scan Ladder, additional analysis results that were not enabled during Coverity Scan's first year were made available to the developers.
In November, 2010, the Scan Ladder was replaced with the Scan Ranking system. Migration to the new system is ongoing.
The Scan Ladder was a conceptual progression for open source code to advance towards being Coverity Clean. Launched in March of 2007, a project's advancement to each new rung on the ladder was based on dealing with the issues at its current rung.
In 2010, the Scan Ladder with discrete integer rungs was retired. In its place, we have a floating-point rank, based on the defect-density of each project. Lower numbers are better (fewer defects per thousand lines of code).
Access to the detailed analysis results for most projects is permitted only to members of the scanned project, partially in order to ensure that potential security issues may be resolved before the general public sees them.
Our approach is that of Responsible Disclosure. We provide the analysis results to project developers only, and do not reveal details to the public until an issue has been fixed. A portion of the defects discovered by the Scan could reveal exploitable security vulnerabilities.
For a thorough discussion of Full Disclosure and Responsible Disclosure, you can refer to comments by Bruce Schneier, or Matt Blaze, or the Wikipedia article on Full Disclosure.
Since projects that do not resolve their outstanding defects are leaving their users exposed to the consequences of those flaws, Coverity will work to encourage a project to resolve all of their defects. Coverity may set a deadline for the publication of all the analysis results for a project.
In the discussion of Full Disclosure and Responsible Disclosure, focus has always been on the topic of handling individual coding issues where the impact is somewhat well understood. In the case of automated code testing tools, the best practices have not been discussed. Testing tools may find large numbers of issues, and those counts include a range of different levels of impact. Since the results require triage by a developer, they can sometimes languish - including those defects whose security implications are exposing end-users' systems. In order to push for those issues to be resolved, in the same spirit as the individual issue disclosure policies, Coverity may set planned publication dates for the full analysis results of a project. Projects may negotiate with us about the date, if they are making progress on resolving the outstanding issues.
If you are a member of an open source project, and your project is already listed on the Scan Site, read the Project FAQ then follow sign In if you have an account, otherwise contact maintainers of your project for access.
If you are a member of an open source project, and your project is not already listed, read the Developer FAQ, then email scan-admin@coverity.com with information about your project.
Please be patient, as new project requests have to be handled in between maintenance for existing projects.
Please see the Developer's FAQ.
The Scan project began in collaboration with Stanford University. It started under a contract with the Department of Homeland Security to harden open source software which provides critical infrastructure for the Internet.
The result has been overwhelming. With over 6,000 defects fixed in the first year - averaging over 16 fixes every day of the year, recognition of benefits from the Scan results has been growing steadily. Requests for access to the results and inclusion of additional projects has shown that the open source community recognizes the benefits of the analysis.
In response, Coverity is continuing to fund the Scan beyond the requirements of the DHS contract, which expired in 2009. New projects will continue to be given access to their analysis results on an ongoing basis (time and resources permitting).
The Scan project started under a contract with DHS to harden open source software.
The National Cyberspace Strategy document details their priorities to:
Those priorities include sub-elements to:
DHS had no day-to-day involvement in the Scan project, and the three year contract was completed in 2009.
Static analysis is a set of processes for finding source code flaws.
In static analysis, the code under examination is not executed. As a result, test cases and specially designed input datasets are not required. Examination for defects is not limited to the lines of code that are run during some number of executions of the program, but can include all lines of code in the codebase.
Additionally, Coverity's implementation of static analysis can follow all the possible paths of execution through source code including interprocedurally and find defects caused by the conjunction of statements that are not errors independent of each other.
Some examples of the defects include:
The consequences of each type of defect are dependent on the specific instance. For example, unsafe use of signed values may cause crashes, lead to unexpected behavior, or lead to an exploitable security vulnerability.
Coverity Prevent is a commercial software product. There is more information available on the Coverity Web page, or you can contact the sales department at sales@coverity.com.
Brought to you by 
