Open Source Code Has Fewer Defects Than Proprietary Software

The discovery of the ‘Heartbleed’ bug, which was introduced into the OpenSSL protocol as a programming error, has led some to question the quality of open source code, but research suggests that the quality of today’s open source software is actually higher than that of some proprietary projects.

After analysing 750 million lines of open source code written in C and C++, quality and testing specialist Coverity found that publicly developed software had a lower ‘defect density’ per 1000 lines than the code written by professional developers employed by large corporations. In particular, Linux continues to set standards for the quality of code, while non-relational distributed database HBase can serve as a benchmark for Java projects.

The announcement comes at a time when the way the industry relies on open source has become an issue. Last week, it emerged that a large number of online services used the OpenSSL source code unchecked, after a programmer introduced an error, dubbed ‘Heartbleed’, which would expose data on their their servers.

Better software through collaboration

Coverity Scan Open Source Report has been monitoring the quality of open source software for the past six years, looking at the code of such leading products as FreeBSD, LibreOffice, Apache Hadoop and Cassandra. It has helped developers find and fix at least 94,000 defects – more than half of these were discovered in 2013.

According to the latest annual report, which looked at more than 700 open source projects and their proprietary counterparts written in C or C++, defect density in enterprise software stood at 0.72, but just 0.59 in open source programmes.

Meanwhile, Linux developers have reduced the average time to fix a new defect from 122 days in 2008 to just six days in 2013. Coverity scanned more than 8.5 million lines of Linux code and found average defect density of 0.61.

The company also analysed more than eight million lines of code from 100 open source Java projects, and found that HBase – a database built on Apache Hadoop – was fixing a lot more defects than its competitors. Coverity suggests this is due to the fact that many developers are overly reliant on protections built into Java, such as ‘garbage collection’.

“If software is eating the world, then open source software is leading the charge,” said Zack Samocha, senior director of Products for Coverity. “Based on the results of this report – as well as the increasing popularity of the service – open source software projects that leverage development testing continue to increase the quality of their software, such that they have raised the bar for the entire industry.”

The report serves as the antidote to the criticism surrounding OpenSSL, following the discovery of the Heartbleed bug. Some experts have blamed the developers for not finding the vulnerability before it was introduced into version 1.01 of the protocol in March 2012, calling it the biggest failure of the free software movement to date.

Others have said that the fault lies with the wider software industry for taking a free ride on open source, using the tools it provides without running their own quality checks, or contributing resources to the development process.

How well do you know open source software? Take our quiz!