The great guys at scan.coverity.com published their Open Source Report 2008 in which they detail findings about source code they've monitored and how quality and bug density etc have changed over time since they started scanning over 250 popular open source projects. curl is one of the projects included.
Some highlights from the report:
- curl is mentioned as one of the (few) projects that fixed all defects identified by coverity
- from their start, the average defect frequency has gone down from one defect per 3333 lines of code to one defect per 4000 lines
- they find no support to backup the old belief that there's a correlation between function length and bug count
- the average function length is 66 lines
And the top-5 most frequently detected defects are:
- NULL Pointer Dereference 28%
- Resource Leak 26%
- Unintentional Ignored Expressions 10%
- Use Before Test (NULL) 8%
- Buffer Overrun (statically allocated) 6%
For all details and more fun reading, see the full Open Source Report 2008 (1MB pdf)
Mainly thanks to the 22 friends named in the release notes, curl and libcurl 7.18.1 was released today with the news and fixes that should prove this the best curl and libcurl versions ever - I guess we always have to believe that our latest is the greatest, why else would we release it?
The release notes identifies 23 bug fixes we did during the two months since the last release, and the news we introduce include these goodies:
- added support for "HttpOnly" cookies
- 'make ca-bundle' downloads and generates an updated ca bundle file
- we no longer distribute or install a ca cert bundle
- SSLv2 is now disabled by default for SSL operations
- the test509-style setting URL in callback is officially no longer supported
- support a full chain of certificates in a given PKCS12 certificate
- resumed transfers work with SFTP
- added type checking macros for curl_easy_setopt() and curl_easy_getinfo(), watch out for new warnings in code using libcurl (needs gcc-4.3 and currently only works in C mode)
- curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments
- --with-ca-path=DIR configure option allows to set an openSSL CApath instead of a default ca bundle.
As usual, you can download it here.
On scan.coverity.com, the nice guys at Coverity run scans on open source projects to check for flaws in their source code. Their list currently includes 265 projects, and curl is one of them. I have only good words to say about their scanning, as they found no less than 27 flaws in curl 7.16.1 and only one of them was a false positive. All the others were valid and true flaws that we could fix. I don't think anyone was any serious security risk, but still. 26 bugs detected in one go.
On January 8th 2008, Coverity announced their "rung 2" for eleven projects that had zero flaws left in rung 1 and the rung 2 projects get an upgraded analysis. curl was also at zero flaws left, but it isn't clear to me what else we could to do to reach rung 2 or even how we can get them to do a follow-up scan on a newer release since 7.16.1 is quite old by now and with all the changes in the code over time there's always the risk new nasty bugs have crept in... So we're at rung 1 still with no recent release scanned.