LAMP Lights the OSS Security Way

Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"

Old news

[Fnord666]

This is old news:

Re:Old news

I've always been curious how the oldest comment can be redundant...

Dupe

[blirp]

http://it.slashdot.org/article.pl?sid=06/03/04/145 3245

Re:Dupe

[garcia]

Clearly you're wrong. One was posted by Zonk and the other by ScuttleMonkey. Look at the blurbs. Completely different content and title. It's not even a 1/4 dupe by Slashdot standards!

Maybe I've been reading too much politics lately..

[Valdrax]

Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.

I need to do something about my cynicism.

Fucking LAMP.

[autopr0n]

I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

To me, MySQL is like the MS Access of the Open Source world.

Re:Fucking LAMP.

[IflyRC]

Just wait until Oracle takes over MySQL - the options will be only to go from MySQL to Oracle because "something" will change to make migration easier.

I don't trust Oracle, I've seen them move into too many companies and push others out as well as backstab their own partners.

Re:Fucking LAMP.

[lsappserver]

Yeah right. Have you ever used it or you just read that on some website.

Re:Fucking LAMP.

[Bad+Boy+Marty]

Used it on a site that took a million hits a day. Using the same table definitions, MySQL ran about 5 times faster.

Re:Fucking LAMP.

[Trevin]

I'd love it if database management systems were compatible enough to allow that. The trouble is, it seems only the most basic query syntax has been standardized. Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.

Re:Fucking LAMP.

Yeah, but stick with LAMP though, because LAPP makes me think LAPPdance... Alot of security holes to attack! ;)

Aaaah, but lapdancing is the one place where an unexpected hole is a feature ;-)

Re:Fucking LAMP.

[Lord+Jester]

Actually there are some database abstraction routines out there that use one set of functions for multiple database types. PHP-Nuke for example.

Re:Fucking LAMP.

[aurb]

Indeed. I wonder why people are not using SQLite where they need a fast and not _very, very_ large database (that's the case with most websites). And if there's a need for a big and reliable db -- PostgreSQL is the answer.

Re:Fucking LAMP.

[Lumpy]

I'm sick of DB makers ignoring standards and making their SQL not 100% SQL99 compliant.

it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

Re:Fucking LAMP.

[NitsujTPU]

That's nothing.

As an undergraduate, I took a class taught on Oracle platform (it helps that the department got a hefty kickback from Oracle). I got sick for 2 weeks and studied out of a database text that was all about SQL '99. The prof smoked my grade for using SQL '99 syntax, despite, otherwise, getting the questions right.

Re:Fucking LAMP.

[mrops]

Hey that why I say LAMP will never take the place of say Java/spring/hibernate/tomcat/jboss.

Re:Fucking LAMP.

[DogDude]

That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.

I'm just curious... what's the situation where you need the same SQL to talk to multiple kinds of databases? Does your company just have one of everything, or do they gut their infrastructure on a regular basis for fun? When I make a committment to a database, I expect it to be at *least* a 5+ year committment. I don't see the reason for replacing the most important part of most IT infrastuctures unless there's an extemely serious reason to do so.

Re:Fucking LAMP.

[tobiasly]

That's why we have database abstraction layers. There will never be a unified SQL syntax until all databases have exactly the same features.

A solution to this would be a standardized way to add nonstandard features, similar to mimetypes which begin with "x-". But don't hold your breath on that one.

Re:Fucking LAMP.

[autopr0n]

Heck, how do you get stored procedures to run across multiple databases? Well, how do you get stored procedures to get to work on mysql at all? Actually, any database-specific queries related code should be sequestered in a small data access layer, along with all your DB code, which could be re-coded for different DBs without upsetting the rest of your system. If you're calling "SELECT * FROM TABLENAME" good software because it can run on any database, then you've got some learnin' to do. If you consider "Select * from tablename" software at all, you've got some learnin' to do. It's not software, it's a query. It's what you do with the data afterwards that makes up the 'software'. You strike me as the kind of person who thinks doing a 'select' and then formatting the output via PHP makes good software, in my mind, it's barely even software at all.

Re:Fucking LAMP.

[abradsn]

Databases are fairly proprietary, and a class on databases should be specific to a platform and if oracle is used then oracle is what matters. Besides oracle is number one in the database market right now, so that seems just fine to me either way. They are the standard.

Unless there is some more to the story (is there?) then the the professor did the right thing.

Re:Fucking LAMP.

[Phillup]

Because it is so easy to find web hosting with MySQL.

Next...

Re:Fucking LAMP.

[Phillup]

I'm just curious... what's the situation where you need the same SQL to talk to multiple kinds of databases?

Um...

Writing software for people that may already have a database?

Even, god forbid, a different kind than the developer may have...

Re:Fucking LAMP.

[Khelder]

Well, the GP didn't say what kind of undergraduate degree program he was in, so maybe it was on something very applied like "Database Administration" and you're right.

But if he's getting a Computer Science degree (which seems to be the plurality of students on /.), then his courses should *not* be emphasizing how the syntax for database A is different from the syntax for database B. The courses should be about higher level concepts (maybe replication, or normalization).

Re:Fucking LAMP.

[jpkunst]

Well, how do you get stored procedures to get to work on mysql at all?

By using MySQL 5.0.

HTH,
JP

Re:Fucking LAMP.

[NitsujTPU]

Exactly. I didn't sign up to go to a trade school. I signed up to learn CS.

Re:Fucking LAMP.

[Malor]

SQLite doesn't seem to be very fast. I know the SlimDevices people are having some trouble with it. They write SlimServer, an open-source Perl server that indexes music and drives the company's (excellent) Squeezebox players.

The problem seems to happen when people have very large collections, greater than 10,000 tracks... updates become slow, and the whole system gets a little sluggish. Apparently, when using MySQL, the problem goes away completely... or at least until someone gets to 100k tracks or something. :)

Perhaps the Slim team is doing something wrong, but they're definitely seeing some performance issues with SQLite.

Re:Fucking LAMP.

[masklinn]

Ever heard of ORM?

Clearly not the best thing for fine tuning your perfs (nothing is but raw SQL and good admins that known the DB), but try checking ActiveRecord for example, it does in fact allow table creation including column types, indexes, 1-1, 1-many and many-many relations between your tables (doesn't handle "true" foreign keys yet though), DB migrations (editing your databases, adding or removing columns or complete tables, modifying a column, ...) and everything is done in Ruby...

Re:Fucking LAMP.

[DogDude]

You strike me as the kind of person who thinks doing a 'select' and then formatting the output via PHP makes good software, in my mind, it's barely even software at all.

Actually, from all of my experience working with HEAVY DUTY web apps (10+ TB databases 5 years ago), I've learned that for most web apps, the BEST performance you can get comes from putting as much work at the database as is possible. There's not a "*" in any of my select's, and most of my business logic is in stored procs.

Re:Fucking LAMP.

[killjoe]

Why don't programs treat SQL as an internalization problem? In a very real way each database server speaks a different language right? If your web site can dish out web pages in croatian why can't it handle four or five dialetcs of SQL?

Re:Fucking LAMP.

[nasch]

If you can run the same code on multiple databases, then you're not taking advantage of any of the database-specific performance features.

Why do you assume his software needs any of those features?

Re:Fucking LAMP.

[Decaff]

Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.

There are open (and closed) source products that have dealt with these issues for years. Modern ORMs products handle all of these matters, and automatically provide translation between portable query languages (such as JDOQL) and high-performance vendor-specific SQL depending on the database you deploy on.

It is astonishing to see these matters still being discussed as if no solution exists!

Re:Fucking LAMP.

[dk.r*nger]

it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.

So, a SQL parser and compiler that can transform queries between these should be trivial to make, right?
The absense of this tool, combined with the absolute immense usefulness of it, tells my sense of logic that this is not really the case.

Re:Fucking LAMP.

[Heembo]

In the Java world, we have moved to Hibernate, Castor and other Object/Relational engines to get around this problem. Hibernate is especially good at "swapping out" database vendors. But I agree, MySQL is especially poor and SQL compatibility.

Re:Fucking LAMP.

[jafac]

I guess I'm lucky.

I'm in a beginning programming class, and the language is C++, and the tools that the teacher is forcing down our throats is MS Visual Studio.

I looked ahead at the programming examples, and it's all basic logic (really, I should have just tested out of this class, but the school's process for that doesn't allow for it due to the program I'm in - anyway. . . ). None of the C++ code relies on win32 libraries. It's all simple basic stuff - so I pasted some of the assignments into XCode on my Mac.

They compile and run just fine, no modifications.

So I was nice enough to post instructions in the class forum on how to do all the homework on a Mac using XCode. At least one other student (besides me) was trying to run Visual Studio in Virtual PC. . . .

Re:Fucking LAMP.

[NitsujTPU]

Ahh, see, here's the catch.

The year was 2000, so good texts on SQL 99 were hard to come by. MySQL wouldn't honor referential integrity constraints, so it's output was just wrong, no matter how you sliced it. We were using Oracle.

Simply put, the Oracle syntax was 100% different for certain things. Tools and what not aside, if you put SQL 99 code into Oracle, I think that it would work (but don't remember so clearly on that point), but Oracle PL/SQL for triggers, stored procedures, and functions? It's nothing like SQL 99.

MS Visual Studio isn't THAT bad. I dislike how the directory structure that you browse in the code browser isn't reflective of the directory structure on disk, and other unpleasant surprises that one encounters while compiling.

On the Oracle front again, though, folks at my old company wanted to use Java stored procedures in a project that we were working on. We did it, it was fine. Of course, the version of Java that was supported at the time was outdata, and one has to wonder... Perl embedded in Oracle (Oracle came with an interpreter) was the hot thing 5 years ago, now it's Java... Will it be Java 5 years from now? I have a feeling that writing code like that is like inviting a future developer to criticise the primitive tools you clacked together to produce your system.

Re:Fucking LAMP.

[PhotoGuy]

I'm so sick of everyone making their software depend on MySQL. If you're software is any good it should be able to run on more then one DB, at least Postgres.

Sadly, I have found, that there are some basic operations that require non-standard-SQL. I wish SQL were just a *bit* more rich, so it weren't necessary. (One example, if I'm not mistaken, is last_insert_id(), to find the last value in an autoincrement insert. Not possible to do atomically without a server-specific function.) There are a handful of other examples.

Re:Fucking LAMP.

[linuxhansl]

Exactly. Somebody involved with the process told me that MySQL had their code scanned ahead of time, fixed the problem, and then had the "official" scan done. Oh well.

I also wihed MySQL would reduce the marketing spin a little. Two examples:

• Not being able to update rows in Archive-Engine tables... Apparently they couldn't figure out how to do that (after all since the tables in the Archive Engine are compressed you'd have to store is chunks, find the right chunk, uncompress, update, and recompress). Oracle did figure it out... On the MySQL website they painted that as an *advantage* that MySQL has over Oracle.
• Partial Indexed... Postgres (and others) have Partial Indexes. These allow you to restrict an index to a subset of the rows in a table (for example if you have an active flag and most queries are for tuples with the active flag set, you'd have a partial index restricted it to the rows where flags='t'). In MySQL they call indexes on varchars where you also use the index for any prefix of the varchar a "partial index" (all databases support that)... So in various press releases you read about MySQL supporting partial indexes, which is misleading.

(These are just two examples.)

Don't get me wrong, I actually do think MySQL is good database and it is getting better with every release. These half-truths are just not conducive for building trust with their users.

Re:Fucking LAMP.

[Paradise+Pete]

I'm in a beginning programming class

I wouldn't have expected someone with a four-digit account to be in a beginning programming class (though it looks like you just have to satisfy some requirements.) You must have been young when you signed up!

don't waste that $$$!

[urdine]

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

Re:don't waste that $$$!

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!
They do - it says so in the article.

Re:don't waste that $$$!

[Bazzalisk]

Ah, but how many lines of code will it take to correct the bugs? and will those bugfixes themselves contain bugs?

Interested minds couldn't care less.

Re:don't waste that $$$!

[ChrisA90278]

Why not release the results of all the bugs? All those OSS projects will then have 0.00% bugs!

Many other studies and most programmers experiance shows that there is a high likelyhood of introducing a bug whenever you make a change to existing code, In fact on a per line of code written basis "fixes" are about the buggyist code you can write. So if you have .3 bugs per KSLOC (Kilo lines of code) in mature code like Apache orthe Linux kernal the new stuff that fixes a bug might have three times as many bugs per line. But the bug fix is typically small, many time just one to four lines so you do make projess. Over tiome the "defect rate" falls. Graphically it is a curve to reaches zero at infinity.

"Everyone" knows the above so after even a triveal fix you test the heck out of the system then put it though a long beta cycle. Well, at least the projects that have some kind of process in place do this. But note that all the "best" OSS systems sdo have a very strong and well ordered developent process. I'd say the low bug rate is due to the process. The best they can do is make incremental tweeks to the process and wait. At infinity the bug rate will in fact reach zero, or so says the theory.

Re:don't waste that $$$!

[masklinn]

The people who roam on the dev mailing lists of the various projects scanned by Coverity have seen a Coverity guy ask for the security team to whom he could hand the defect reports.

Re:don't waste that $$$!

[shadwstalkr]

At infinity the bug rate will in fact reach zero, or so says the theory.

At which point you throw out the code base and start over, because "the code is too ugly."

Re:don't waste that $$$!

[RLaager]

As a developer on one of the projects listed, I can say that they have. They released them to the developers first, so that we could fix them. I believe Coverity's intention is to make the results public at some point.

The LAMP devs _have_ to write secure code.

After all, that stuff's running most of the Internet.

Re:Maybe I've been reading too much politics latel

[gbjbaanb]

Well, once you read this snippet from the article, they'll have enough ammo:

"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Counting Defects

[RasendeRutje]

How can one ever count the defects/bugs per line?
And why count them, and then not remove them?
And one huge defect is better than more than one small ones?
Sounds like a crappy research to me, time to RTFA.

Re:Counting Defects

[Pedro+Sobota]

Very Bad, and I have seen a US Defense - contracted software company (they even do helicopter systems) on their website extensively touting their 'lower defects per line of code (DLC)' methodology. Marketing.

Re:Counting Defects

[masklinn]

How can one ever count the defects/bugs per line?

With a tool whose goal is to scan for defects (out of bound access, memory leaks, uninitialized pointers, ...)

And why count them, and then not remove them?

Duh?

Re:Counting Defects

[jonaskoelker]

How can one ever count the defects/bugs per line?

Good question. The theoretical answer is that one can't. I'll replicate the proof I prepared for my Computability and Logic exam.

I assume you know what turing machines, hoare triples are, and what recursive and recursively enumerable means.

Assumption: there exists an encoding of turing machines, such that the language of all turing machines is recursively enumerable (this is fairly easy to show, but I'll skip it).

The problem is to show that there doesn't exist any turing machine which will take any hoare triple (pre, code, post), and show that under the precondition, running the code enters a state satisfying the postcondition.

I want to show that the `semi-negation' of the problem--that is, proving programs to be incorrect--is recursively enumerable. Consider the hoare triple (true, anything, false). That is, the program is incorrect iff it halts. So any machine solving the incorrectness problem must--among others--solve the halting problem. But we know the halting problem to be recursively enumerable but not recursive. Hence incorrectness is recursively enumerable, but not recusive (this is actually inspired by Dijkstra: "by testing a program, you can only prove the presence of bugs, not the absence").

But then the complement--that is, ('the code part is a turing machine' AND `the hoare triple is correct')--can not be recursively enumerable.

That is, assuming turing machines are as powerful as general-purpose computers, there is no program which will verify correctness of *any* hoare triple.

However, there might be programs that catch most of the typical mistakes, which would of course be very valuable.

Also, there's the whole question of counting lines (as has been pointed out is the not-a-dupe-at-the-time thread).

Also, a very interesting question is whether or not the human brain is more than turing complete--that is, can humans every prove any program to be correct? Nourishing substances for activities in the frontal lobes.

Huh?

[autopr0n]

What are you talking about? We ship appliances with postgres and they don't need vaccuming.

Re:Huh?

[muhgcee]

I work at a company that uses Postgres with one of our products. When there are a lot of INSERTs into the Postgres database, it needs to be vaccuumed or it slows to a crawl.

Re:Huh?

[Dan+Ost]

Vaccuuming is now a background process that you can leave running all the time.

I think auto-vaccuume was added in version 8.

Re:Huh?

[muhgcee]

Ooh, thanks. I'll have to check into that.

Re:Huh?

[dfetter]

I hope that "INSERT" is a typo, because it's just plain wrong. The only thing that needs vacuuming is dead tuples, and the only operations that create dead tuples are UPDATEs and DELETEs. Furthermore, pg_autovacuum has been integrated into the back-end since 8.0.

Re:Huh?

[muhgcee]

Yeah, then it is that. I just do the cleaning up...don't know how the app actually works.

Re:Huh?

[dfetter]

I'm really sorry that your app is written wrong, but that's not a problem with PostgreSQL.

Re:Huh?

[$RANDOMLUSER]

> I'm really sorry that your app is written wrong, but that's not a problem with PostgreSQL.

From *your* GP:

> The only thing that needs vacuuming is dead tuples, and the only operations that create dead tuples are UPDATEs and DELETEs.

So apps that UPDATE or DELETE are "written wrong"???? Sorry, I'll go on thinking it's a problem with PostgreSQL.

Re:Huh?

[KarmaMB84]

shhhhh, don't reawaken the postgres fanboys ;p

Re:Huh?

[dfetter]

Failure to turn on the appropriate automatic vacuuming is a case of "written wrong."

Re:Huh?

[GuyverDH]

if you have to *remember* to turn it on, it's not very *automatic* now is it....

Sorry - couldn't resist.

http://scan.coverity.com/ - highest/lowest

[digitaldc]

As part of the government-funded effort, Stanford and Coverity have built a system that does daily scans of the code contributed to popular open-source projects. The resulting database of bugs is accessible to developers, allowing them to get the details they need to fix the flaws, Coverity said.

Just an FYI...AMANDA had the highest amount of bugs at 1.214 Defects / KLOC and OpenVPN the lowest at 0.100 Defects / KLOC.

Re:http://scan.coverity.com/ - highest/lowest

[paddy_amanda]

Quick response from Amanda development community. Amanda moved from bottom to the top of list!!!! 108 defects addressed within a week. I think this shows the strength of the open source software development methodology. Zero defects found means it will be in top of the list.
See http://scan.coverity.com/ for latest Coverity testing results.
Paddy
Amanda developer
http://wiki.zmanda.com/ for Amanda information

more related

[mnemonic_]

your post is also a dupe.

Re:Solaris

And it won't be long before Linux-zealots will start preemptively bashing Solaris to distract form the screaming shortcomings of their toy-OS. In fact, it will start in t 0.

YEAH RIGHT!

[suso]

Also from the article: The lowest was the XMMS audio player, with 0.051 defects per 1,000 lines of code.

Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".

I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.

Re:YEAH RIGHT!

[maelstrom]

I think it should be obvious this bug scanner only picks up on certain classes of "bugs". If they had an automated way of detecting all types of bugs, they would be rich beyond their wildest dreams. I imagine it picks up certain things like out of bound accesses, mallocs without frees, etc. It would make sense that Amanda would have more types of these operations going on than something like xmms.

Re:YEAH RIGHT!

[james_da_silva]

To address several comments I've seen:

* The Amanda developers (as far as I know) were not contacted that Amanda was on the list before it became news. But, Coverity _was_ quick and friendly about giving Amanda developers full access to the bug list for Amanda when we registered.

* Their checks do go beyond simple static checking; they are looking at possible values of index variables at different points in the code to assess potential overflows, and they are tracking malloc/free pretty well. You can find papers about their techniques on Dawson Engler's page at Stanford. There's no doubt that they are holding the clue stick here.

For Amanda specifically, the majority, 76 out of 108 issues found, were malloc/free mismatches. In addition, there were 9 dead-code determinations, 16 potential null pointer dereferences, 3 cases of a function returning -1 into an length variable that is used without checking, 1 uninitialized variable, and 3 array overflows cases, for 108 problems in ~89kloc, or ~1.2/kloc.

Of the 3 array overflow reports, 1 was a false positive, and 2 were cases inside the report generator where the dump level read from the logs was not range checked before per-level statistics were updated. So a corrupted log could cause the report to fail, but no buffer-overflow security holes.

In summary, I'd say the results are quite useful. Thanks to Coverity and our Homeland Security Big Brothers for funding these scans.

James da Silva

Umm... Way to go Department of Homeland Security?

[Wannabe+Code+Monkey]

I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding.

The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

0.00 defects per infinity lines of code

[mwvdlee]

If an automated system can detect bugs in code, why can't it fix them automatically too?

Re:0.00 defects per infinity lines of code

[Kuvter]

If an automated system can detect bugs in code, why can't it fix them automatically too?

Because then the computer would have to think and having a computer think is bad! Basically it'd have to 'guess' what you meant to code the section as and then pick one and go with it. If it picked the wrong one you might now be saving to the wrong place or running code you didn't intend on having created.

Re:0.00 defects per infinity lines of code

[Short+Circuit]

How do you fix a bug of ambiguity? Consider this line of code.

if (a = b) {func()};

Was the purpose to compare a to b, and call func() if true? Or was it to set a to b, and call func() if b was true?

Re:0.00 defects per infinity lines of code

[fossa]

Is that considered a bug? From what I recall, it will compile fine; a bug checker should not list that as a bug. Now, I believe GCC will warn you "recommend parens around truth value" or something like that, which should be noticed by the programmer if it indeed wasn't supposed to be an assignment plus truth check but was meant to be a comparison. I don't think anything can detect logic errors like "if (bread_is_done_baking) { turn_oven_on() }" (instead of turn_oven_off())...

Re:0.00 defects per infinity lines of code

[Short+Circuit]

Well, they're technically counting defects. Most programmers I know would assume that the original coder meant "a==b", and change it. So it's considered bad style. Another possible example would be using strcpy() instead of strncpy(); the latter is more secure than the former.

Whether they counted elements of bad style as defects, I don't know. But they certainly couldn't have been looking at behavioral bugs with an automated source-checking system. That requires a user, or something very well-written posing as a user.

Re:0.00 defects per infinity lines of code

[CableModemSniper]

Even if everything it finds IS a bug (which it may not be) that doesn't mean that it has found ALL the bugs in a given piece of code.

Re:0.00 defects per infinity lines of code

[Blakey+Rat]

If your C++ compiler knows there's a missing semi-colon, can't it just add the semi-colon in?

Well... no. It doesn't know what the hell your code is trying to do, and therefore it doesn't know where the missing semi-colon is supposed to go, exactly.

Re:0.00 defects per infinity lines of code

[mwvdlee]

No, a case of not understanding the reasoning behind the question (luckily it seems some people did, but as always, many people assume "ignorance" over "rhetoric").

The actual thing I was getting to is that an automated system can only detect things which are style issues which might indicate bugs. It does not indicate any actual bugs.

It'd be perfectly possible to create a piece of code with zero defects which crashes the system, just as it's perfectly possible to create a piece of code with more defects than lines of code which is absolutely bug-free.

Using such measurements as indicators of code quality is tricky. Surely style is a part of quality, but on the other hand it's rather worthless to have stylish bugs.

Re:0.00 defects per infinity lines of code

[el_womble]

Because it works on the same technology as my girlfriend:

GF: "The bath is leaking!"
Me: "Fix it then"
GF : "The bath is leaking! That's your job!"
Me: "Why? I know as much about plumbing as you do. Here, have a spanner."
GF: "What's a spanner?"
GF: ...
GF: "The bath is still leaking!"

Identifying and whinging about a problem is a completely seperate problem to identifying and actioning a fix.

PS. Spanner = Wrench
PPS. This isn't a slight on girlfriends in general, I'm sure some girlfriends can plumb, I just don't have one of those models.

Re:And for Windows XP?

[NitsujTPU]

If you were really pro open source, rather than anti-Microsoft, you'd probably not care.

Seriously, the "at least it's not Microsoft" argument shouldn't impress anybody. The desire to put out a superior product, period, should be motivation enough to undertake something along these lines.

MySQL

[suso]

I don't trust Oracle

Honestly, I don't trust MySQL either. Every since they started going more commercial, there have been indications that eventually MySQL will be more closed up than open. But that's just speculation. So I've been slowly switching my stuff to use Postgresql. The only problem I have with postgresql is that it doesn't handle user administration as well. Other than that, its awesome.

No MySQL?

[Walles]

I noticed that on Coverity's demo page, there's no mention of MySQL. If they *do* scan MySQL for bugs, why not have it on the front page?

Re:No MySQL?

[rmgrotkierii]

From the bottom of the website:

If you have any questions or would like to request additional
projects to be added to this, please email scan-admin@coverity.com

Test of Leaked Vista/IIS code

[RealProgrammer]

Researchers at clandestine research labs in bases hidden deep in the Russian Alps have attempted to analyze portions of the leaked Internet Information Server (IIS) and Windows Vista code for similar flaws.

The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.

On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".

RE: Automated bug finding

[moe.ron]

Of course this system from Coverity only checks for static source code bugs, and not run-time errors or semantic errors. And even then, not even necessarily real bugs, but "possible" bugs. Sounds more like FxCop than anything else. The real meat of this evaluation was probably done on the Symantec side, which was probably a laundry list of tests for known vulnerabilities.

Re:And for Windows XP?

[Bad+Boy+Marty]

No, you missed my point. I'd just love to see a *fair* comparison w.r.t. the number of bugs per KLOC.

As for "the desire to put out a superior product", what does that have to do with Microsoft?

Re:Umm... Way to go Department of Homeland Securit

[moe.ron]

FTF(linked)A:

The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. "It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

I new I'd find a little truth in there somewhere!

LA - fine M - okay P - ah so many varieties!

[Dareth]

The LAMP stack when broken down consists of:
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.

P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?

Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.

Re:And for Windows XP?

[NitsujTPU]

What I mean is, why live for such comparisons? Does it have to be about beating Microsoft, or using them as a bar to jump over?

Even if it is, would you consider this an objective metric? Everybody knows that the kloc is, at best, an informal estimate of effort. Perhaps the Microsoft code does in 5 lines what the Open Source code does in 150. There are no bugs in those 5 lines, but 5 in the 150. The 150 line implementation implements an algorithm that runs in poly time, but the 5 lines run in exponential, what's the better code?

Just Gnome?

[Odin_Tiger]

What about KDE? icewm? XFce? Blackbox? KDE at the very minimum, I would think, was a significant oversight. And why FreeBSD? 'L' is for 'Linux'. It's not 'BAMP'. But so long as they were gonna test BSD, why not OpenBSD, the one that can't speak 3 sentences without yelling mentioning how secure it is? It's awesome to see the government do something like this, but I just have to wonder what their justification was for some of the things they picked.

Re:Just Gnome?

[archen]

I agree with you there. I mean the biggest parts of the puzzle are already solved in a LAMP situation - these are typically proven stable software. Seriously, it's not rocket science to untaint a variable from CGI before you pass a query or do some operation. One good thing this does show however is that using a LAMP sort of solution is going to build on a pretty stable foundation. Personally I find one of the most fustrating things in programing stemms from code that is fine, but bigger problems in the underlying system causing issues.

For the record I use FreeBSD / Postgresql / Lighttpd / Perl .

Guess that would be FLiPP or something

Re:What about....

[frankm_slashdot]

Parent: +1.33 (Sarcastic yet funny).

what counts as a bug?

[Dan+Ost]

Did the article say what kinds of things the automated tool flagged as bugs?

Re:what counts as a bug?

[usidoesit]

was gonna ask the same :-) is each one capable of being exploited for er...uh an exploit? and these are "security" bugs, they're special, "defects" I suppose. But there must be some kind of risk assessment curve, severity x probability, that kind of thing. counting regular bugs("nondefects") outside of a business value context would be more meaningless.

Security is not a feature, security is design

[Device666]

Security is not a feature, security is design. This ultimely means that security should provide good default values, knowledge about how to prevent buffer underruns/overruns and most importantly knowledge how to use a system. This means that security only will need tools to help a system architect and developer to confront him with his limits of his human brain and have a well documented yet very simple concise system and low speed development cycles.

Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.

Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".

Re:Maybe I've been reading too much politics latel

[hcob$]

I need to do something about my cynicism.

Yes, you need to nurture it and get into politics!

Will Coverity contribute?

[mwilliamson]

"The company did not give details on the scope of the flaws it found." After all that work reviewing a rather massive amount of code, are they not going to publish detailed results, or at least contact developers? They have their data for the study now. WTF?

Re:Will Coverity contribute?

[NewbieProgrammerMan]

Yes, they're contacting the developers.

Re:Will Coverity contribute?

[judmarc]

It didn't say the company wouldn't give details to the reviewed projects, and in fact Coverity has sent correspondence to the projects earlier this week offering to do just that. See http://kerneltrap.org/node/6299 re the Linux kernel; similar messages were sent to the other projects.

Re:Curious absence of OpenBSD/OpenSSH ...

[Triumph+The+Insult+C]

a few regular committers to openbsd work at coverity

search the archives. it's explained

From the lame-ass-metaphor dept.

[tobiasly]

"LAMP Lights the Way"?! Was Slashdot acquired by C|Net?

For the love of all that's holy, please drop the hackish high-school-newsletter headlines.

For the rest of us

[mal0rd]

What is there available for this kind of analysis that doesn't cost money to use?

Re:For the rest of us

[shadwstalkr]

It seems like the grant money would have been better spent funding an OSS code analysis tool instead of this one shot deal. Bureaucracy in action.

Kernel Fuck Count

[porneL]

Maybe they've measured in a specific way?

Checkpointing.

[Ivan+Matveitch]

The whole database concept is just fundamentally wrong.

Commercial metrics?

[XMilkProject]

Do we have any metrics to compare this to Commercial software quality? I know thats a bit hard to answer, but I'm curious what this same tool has found when used on commercial code.

Maybe someone works for a company that used the tool on their code? Or some results have been published somewhere?

It is simple really

[SmallFurryCreature]

Who says that when XMMS crashes it is XMMS'es fault?

It could be one of its library's. XMMS source code doesn't give you the player (or at least not one that will do anything) if you used gentoo or LFS you would know this.

Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. Wich is a good thing. Unless your the cat.

Re:It is simple really

[Catskul]

Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. W(h)ich is a good thing. Unless you('re) the cat.

I had a professor who used to say "There is no such thing as a bug. Take responsibility for your errors". All "bugs" *are* programming errors or design flaws unless you are actually talking about a moth that shorted out your powersupply. Im not sure how it works on your planet but on this planet saving a file which then has some unintended side effect would classify as a bug/programming-error/design flaw.

Solution for the time being...

[ceeam]

Do not use complex queries then. If your DB is on the same host as your web/application server there should be no big performance penalty in doing series of "smaller" queries. As an added bonus - they well may be easier to debug. And do not name your tables "order" or your fields "desc" (though I really hate prefixes/suffixes).

Re:Solution for the time being...

[Richthofen80]

If your DB is on the same host as your web/application server

If you are relying on this type of architecture, where one machine does all the work, interoperability with seperate databases is probably not even needed.

But if you're working with a project that needs replication and such, then you really can't rely on DB and web server being the same machine. Sometimes you have to sell your software as an installable product and make it work on multiple DB platforms. Sometimes you have to write to foreign databases using ODBC.

Simplifying queries isn't an extensible solution. For instance, it is intuitive to use
"LIMIT 10,20" (MySQL) instead of using "TOP 20 WHERE ID >= 10" (T-SQL). No simplification will fix that branch, and its kind of obvious that one of the solutions makes more sense. (Or, alternatively, how MySQL will by default install rules fill in blank strings in most fields if no data is provided for them, instead of throwing an error.)

Re:Solution for the time being...

[PitaBred]

So the default is NULL allowed, rather than NOT NULL when making your tables in MySQL? Doesn't seem like a horrible obstacle to overcome...

Hint to PHP devs

[billcopc]

Add more linefeeds!!! ;)

Re:Hint to PHP devs

[GHernandez]

/*
comment
more
too
*/

bug reports?

[Janek+Kozicki]

17500000 lines of code, 0.434 bugs per 1000 lines, that makes 17500*0.434=7595 bugs, so where are the bugreports?

Re:And for Windows XP?

[Phillup]

Perhaps the Microsoft code does in 5 lines what the Open Source code does in 150.

I didn't know MS used Perl.

;-)

(unix tools excepted)

-1 OffTopic, but...

[dtsazza]

We are living in interesting times when we have so much choice... much like the Chinese curse.

That's not actually Chinese, I'm afraid. It's just one of those things that's accepted without references; much like the one about eating 8 spiders a year while asleep (and I love the ironic story behind that one).

They did test OpenBSD.

[Some+Random+Username]

First of all, just because people desperately need a stupid acronym for everything, they call pretty much any non java unix web development "LAMP". So there's nothing wrong with testing other free unixes, webservers, databases and languages. Second, a couple of the OpenBSD developers work at coverity. They have tested openbsd and fixed the issues found. It just isn't cool enough for the people who use acronyms like "LAMP" to care about.

I hope they report all the bugs they found

[thisisauniqueid]

I hope they report all the bugs they found in the source code with their automatic tools. Wow, once they fix all those bugs, there won't be any left, because obviously the tools found all the bugs that exist in the code, automatically, and didn't identify anything as a bug that wasn't one.

What I would do.

[autopr0n]

Is have DB spesific code for creating the tables, auto increments, etc. and then use standard queries.

Re:What I would do.

[KarmaMB84]

Creating tables and querying tables isn't even the majority of a database development project. Also, if you want to make full use of your db, you'll probably have non-standard stuff in your queries anyway. Ignoring those features is fine unless they happen to make things work faster or better in some way. At that point, your PHB is firing you to hire someone who "knows how to get the most our of the db".

Re:What I would do.

[Trevin]

Here is a typical example of what I have to deal with all the time: many of our tables include a numeric ID field that must be unique and is a key reference for other tables. Naturally, it should be an auto-incremented value.

In MySQL, you would implement this simply by assigning an auto-increment attribute to the numeric column. Inserting a new row involves setting all necessary columns -except- the ID, which the database takes care of for you. You can make another call to fetch the new ID.

In Oracle, you must use a "sequence number" that exists in a separate system table. So inserting a row consists of fetching the next sequence number, then assigning that value to the ID field when you insert the row.

There isn't a simple, ANSI-standard SQL statement which will handle both of these cases.

Actually

[autopr0n]

I think you're just a bad programmer trying to justify your bad programming practices. SPs are great if you have one big database that lots of applications use, as long as you don't put too much business logic in there such that trying to fix it for one program breaks it for all the others... and then you've got to debug them.

I mean they have their place. If you're writing code for a company that has a standard DB in place they can cut down on transaction time, but if you're writing a more generalized program for people who might want to use a DB they already have they're stupid.

Re:Maybe I've been reading too much politics latel

[masklinn]

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Spot on, as you can see on scan.coverity.com:

• PHP features 205 defects for 431,327locs, or 0.475 defects/kloc
• Perl has 91 defects for 431,327locs, or 0.19 defects/kloc
• Python is very slightly lower than perl (but with a noticeably smaller codebase) at 49 defects for 259,908locs or 0.189 defects/kloc
• Apache-httpd features 32 defects in 127,817 locs, or 0.25 defect/klock

MySQL isn't featured (Ruby is also a noticeable absent), but PostgreSQL stands at 296 defects for 815,748 locs, or 0.363 defects/kloc, and the lightweight SQLite has 16 defects for 60,722 locs or 0.263 defect/klock.

Re:LA - fine M - okay P - ah so many varieties!

[kesuki]

I don't know where you were in 2000, but i was using Apache Mysql PHP on *bsd in 2000, to run blog software off my cable modem. LAMP was already pretty functional in 2000, so I don't know why you'd be using static html unless you were just a n00b then ;)

Re:And for Windows XP?

[masklinn]

Congratulation you're an idiot?

The goal of Coverity's tool is not to estimate the quality of an algorithm, but the quality of the code e.g. memory leaks and stuff.

Running most of the internet?!?

[Dareth]

Oh nog... lets rewrite all the DNS root servers to use LAMP~!

That would be the coolest thing EVA!!!

Until Google gets around to buying them all and porting them to a simple but usable AJAX format!

Static HTML for Static Content

[Dareth]

Use the best tool for the job. DB driven sites and huge PDF downloads are a bane for posting simple static content.

Re:And for Windows XP?

[NitsujTPU]

Thanks. I know. That was my point. Congratulations, you're an idiot who didn't manage to catch that, and you even pointed it out my posting in a forum about it.

Re:And for Windows XP?

[NitsujTPU]

The point was that errors per KLOC is a rather naive measure of success to begin with, just as KLOCs are a poor measure of output to begin with.

Next time you decide to call me an idiot, say something smart.

Re:Maybe I've been reading too much politics latel

[Hosiah]

I need to do something about my cynicism.

Relax. Some of us are so cynical, we regard your statement as a ray of Pollyanna sunshine.

Same Math Error

[oldCoder]

Let's two different attempts to, say, parse XML are coded up. Let's further say one module is 1,000 lines of code and the other is 2,000 lines of code. Let's further suppose they have the exact same bugs, possibly resulting from a typo in the spec. The method used by Coverity would rate one version as being twice as buggy as the other. Indeed, the superior effort, the one that used only 1,000 lines of code, would be penalized for it's efficiency!

They keep on making the same mistake.

Re:And for Windows XP?

[Valdrax]

Perhaps the Microsoft code does in 5 lines what the Open Source code does in 150.

I take it you've never actually done any Win32 programming.
(I hear .NET is a lot better, though...)

Re:Solaris

[Hosiah]

Oh, come on. Not every Linux fan disparages Solaris. It's just that we had our free Unix-clone years before we had our open-Solaris clone, so Solaris is farther behind. However, I notice it's catching up big-time.

You know what the difference is? The kernel and about five programs each - the rest is the same GNU software you find all over the place. When I tried Belenix 0.3, it was very much like an early Ubuntu. - only slower (and I never would have thought that *anything* could have gone slower than Ubuntu!). As I hear it, the next release of Belenix is the one where it's starting to shine, and then there's Nexenta...

PHP could soon have lowest bugs/KLOC!

[martyb]

Well, once you read this snippet from the article, they'll have enough ammo:

"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."

I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.

Well, I know a way where you can leave PHP in that stack and still make the bugs/KLOC figure go down REALLY fast. All I need is for someone to check in this simple fix:

unused_variable = unused_variable + 0;
unused_variable = unused_variable + 0;
unused_variable = unused_variable + 0;
/* Insert 9,999,996 more copies */
unused_variable = unused_variable + 0;

[BTW, I suggest using an optimization setting for the compiler so that redundant code is removed.]

It has long been known that bugs/KLOC is a convenient, but not necessarily informative, statistic. A few seconds with google might prove enlightening:

• software metrics
• software defect measurement
• Function Point

Tried it went back

[JoeCommodore]

I tried Postgres but it was a pain,

it was a pain to figure out how to set up

It was a pain to properly configure (never did to my satisfaction, not much good documenation on editing the users file).

It was a pain to get programs that support it to work with it (eWiki) and then not all the features worked when I did (embedding images).

And then if I wanted to do clustering or distributed DBs and such down the road, it was turning out to be a pain finding information about that also.

I liked what I saw, the DB features make sense, and looks great but there's just not enough documentation support to keep me interested.

Right on

[metamatic]

And PHP is the Visual Basic of the open source world.

Free software

[The+AtomicPunk]

It's not really free software now that I'm being forced to pay for it.

Enjoyed it I did.

[Dareth]

The site in question was a personal site with pictures from my wedding.
It was mostly for family members who did not get to attend.

subsetting is OK

[penguin-collective]

It's perfectly fine to subset SQL, IMO.

The fact that so many databases do subset SQL99, however, is perhaps an indication that we would benefit from a well defined "SQL Light" subset.