The prevalent open-source version of the Apache Web server stacks up well with commercial Web servers in terms of the number of code defects, according to a study by Mountain View, Calif.-based automated software inspection service provider Reasoning Inc.
Reasoning recently inspected Apache V2.1 and compared it with other commercial Web servers that were at a similar stage of their development and found 31 code defects in 58,944 lines of code for a defect density of 0.53 per thousand lines of code. Commercial Web servers have a defect density of 0.51 per thousand lines.
Using its homegrown proprietary automated inspection software and processes for Java and C and C++ applications, Reasoning inspected the Apache code looking for memory leaks, NULL point dereference defects, bad deallocation, out-of-bounds array access and uninitialized variables. Reasoning found 29 instances of NULL point dereferences where expressions dereference a NULL pointer; the company also found two instances of uninitialized variables where a variable was not initialized prior to use.
"Some consider any defect a security defect," said Thomas Fry, Reasoning's director of marketing. "Some resource leaks in Java, for example, lead to denial-of-service attacks. It depends on how you define a security vulnerability [as opposed to a coding problem]."
Earlier this year, Reasoning did a code review of the Linux TCP/IP stack against commercial TCP/IP stacks, and Linux
Reasoning shares its findings with the open-source community. The findings from the Linux TCP/IP inspection were sent to Linux kernel developers, and some were addressed and fixed immediately, Fry said. Reasoning is waiting to hear from the Apache Group regarding the most recent survey.
"We report all of the defects to the community and to our customers," Fry said. "With our customers, 80% to 85% of the [Apache] defects were fixed immediately. They agreed they were serious."
Currently, Reasoning is inspecting code in Tomcat, a module in Apache that enables the Web server software to run Java applications. Fry expects those results within two weeks.
"We're only doing reviews right now of open-source projects with large peer reviews [like Linux and Apache]," Fry said. "There are plenty of open-source projects that have smaller followings and less peer reviews. We'll be looking at those eventually to determine how the peer review process improves quality."
FOR MORE INFORMATION:
FEEDBACK: Send your feedback on this story to the SearchEnterpriseLinux.com news team.