Last Coverity Scan metrics about LibreOffice, with 0 outstanding defects on 6 million lines of code. Kudos to our developers.
Berlin, July 25, 2018 – The Document Foundation celebrates five years of improvements to LibreOffice’s source code under Red Hat’s leadership, thanks to the adoption of automated tools such as Coverity Scan and Google OSS-Fuzz, and to the key contributions in the area of source code fuzzing of security specialists such as Antti Levomäki and Christian Jalio of Forcepoint.
“The combination of Coverity Scan, Google OSS-Fuzz and dedicated fuzzing by security specialists at Forcepoint has allowed us to catch bugs – which could have turned into security issues – before a release,” says Red Hat’s Caolán McNamara, a senior developer and the leader of the security team at LibreOffice.
Since 2013, Coverity Scan has helped to reduce the number of issues by several orders of magnitude (from 0.93 to 0.00093 per 1,000 lines of code). The score is significantly better than the FOSS software average of 0.65 and the proprietary software average of 0.71.
LibreOffice defect density score during the last two years
The Coverity Scan score is related to a static analysis to find source code defects and vulnerabilities. In static analysis, the code under examination is not executed. As such, the score does not represent an absolute value about quality and security of the software when executed on end user desktops.
More recently, developers have implemented fuzzing or fuzz testing, a technique that involves providing invalid, unexpected or random data as inputs to a program, which is then monitored for exceptions such as crashes or failing built-in code assertions, or for potential memory leaks. Fuzzing is able to catch issues just a few hours after they appear in the upstream source code repository, and help to solve bugs and potential security issues before they reach the end user.