One Billion Lines of Code Analysed

04 May 01:02

Coverity, Inc. is marketing Coverity Prevent SQS (Software Quality System), an automated solution that identifies and resolves the most critical defects in C, C and Java source code.

The technological foundation for Prevent SQS is Coverity's "Software DNA Mapping" technology, which enables defect checks through 100 per cent of the paths in any piece of software. Coverity Prevent SQS leverages this software mapping technology to find 30 per cent more defects in Java, C and C software projects.

The product is the result of analyzing one billion lines of software source code and working with more than 200 software development organizations. During the development of Prevent SQS, Coverity worked with software teams that sought to ensure code quality in complex software projects that were spread across multiple groups in multiple sites around the world. In nearly all cases, the challenges in automatic defect discovery and efficient remediation were the same: build systems are ad-hoc and heterogeneous, and automatically understanding how software is built from source files is a crucial step a source code file does not make sense in isolation from the other source files in the eventual running program and, quite simply, a defect in the code will not fix itself.

In understanding these challenges, Coverity Prevent SQS delivers:

Software DNA Maps - a technology to leverage an existing build system to automatically create a complete and accurate map of the source code
Multiple Analysis Engines - a technology that analyzes a representation of the source code that most closely resembles the resulting executable to understand many distinct aspects of the code
Resolution System - a technology that allows organizations to mirror their existing software quality process in the method they use to remediate defects discovered automatically

For years, commercial and enterprise software developers have looked for products that could automatically and effectively find software defects early in the development cycle. Fixing software bugs early can dramatically reduce the time it takes to bring a software product to market and also potentially save millions of dollars in costly product recalls. However, there were many false starts for tools that looked to discover defects automatically because of their failure to grasp a complete picture of the software.

Prevent SQS supports all major compilers and language extensions:

Supports all C/C standard code including C89, C99 and ISO/IEC C
Compiles Java source code and parses Java bytecode
Supports compilers from ANSI, ARM, GCC, Green Hills, HP, IAR Systems, Intel, Marvell, Microsoft, PICC, QNX, Renesas, Texas Instruments, Wind River and others

[This is important progress. Let us hope software developers start to use it. It is not sufficient, though. The software development process itself, must be wrapped in a risk management system ensuring that output from software like Coverity's is actually registered, evaluated in terms of risk, and acted upon accordingly. Without this process management, automatic systems are just not going to make a great difference to general software quality. Now that this knowledge is established and good systems available it is high time to put financial pressure on software developers to develop systems fit for purpose through legislation and litigation. --Ed].

Related links: (Open in a new window.)
www.coverity.com

Taken from Information Security Bulletin.