Sign in

Frequently Asked Questions (FAQ)

What is Coverity Scan?

Coverity, the development testing leader, is the trusted standard for companies that need to protect their brands and bottom lines from software failures. Coverity Scan is powered by Coverity® Quality Advisor.

Coverity Quality Advisor surfaces defects identified by the Coverity Static Analysis Verification Engine (Coverity SAVE®) for fast and easy remediation.

Coverity offers the results of its Coverity Quality Advisor for free to participating open source developers.

How did this project begin?

The Coverity Scan initiative was launched on March 6, 2006. During the first year of operation, over 6,000 software defects were fixed across 50 C and C++ projects by open source developers using the analysis results from the Coverity Scan service.

Who can have access?

Access to the detailed analysis results for most projects is granted only to members of the open source project, to ensure that potential security defects may be resolved before the general public sees them.

Our approach is that of Responsible Disclosure. We provide the analysis results to the project developers only, and do not reveal details to the public until an issue has been fixed.

For a thorough discussion of Full Disclosure and Responsible Disclosure, you can refer to comments by Bruce Schneier, or Matt Blaze, or the Wikipedia article on Full Disclosure

Since projects that do not resolve their outstanding defects are leaving their users exposed to the consequences of those flaws, Coverity will work to encourage a project to resolve all of their defects. Coverity may set a deadline for the publication of all the analysis results for a project.

In the discussion of Full Disclosure and Responsible Disclosure, focus has always been on the topic of handling individual coding issues where the impact is somewhat well understood. In the case of automated code testing tools, the best practices have not been discussed. Testing tools may find large numbers of issues, and those counts include a range of different levels of impact. Since the results require triage by a developer, they can sometimes languish - including those defects whose security implications are exposing end-users' systems. In order to push for those issues to be resolved, in the same spirit as the individual issue disclosure policies, Coverity may set planned publication dates for the full analysis results of a project. Projects may negotiate with us about the date, if they are making progress on resolving the outstanding issues.

How do I get my project included in Scan?

The following definitions are Coverity's guideline for including projects in the Scan.

Project licenses must meet the criteria described by the Open Source Initiative.

Projects initiated and maintained by registered nonprofit organizations (any nationality), individuals, or groups with no associated corporation are automatically eligible.

Projects initiated and maintained by for-profit corporations, or with licenses outside the OSI guidelines, or with licenses within the OSI guidelines, but which are conditional to different audiences, are included at Coverity's discretion.

If your project is not already listed on the site, sign up and click on Add project and register your new project Finally fill out the resulting form and click Submit.

My project is already in Scan, how do I get an account?

If you are not yet a registered user of Scan you can Sign up, click on Add Project and find your project in the project table. You will granted access subject to approval by project owner or Scan administrator.

Does the project or do project members have to sign an NDA (Non-disclosure agreement)?

For the current Scan site, signed, paper NDAs are not required. Signed paper NDAs may be included as part of a process for projects receive access to advanced features or additional tools.

Project members signing up are required to accept a click-through license.

The click-through license is designed to not conflict with employees' obligations to their employers or make any promise on behalf of their employers. We understand the problems that could cause for individuals.

Additional web site automation is being implemented, to allow the license to actually behave as a 'click-through'. While the current text includes a 'Coverity may update this' clause, it is our intention to remove this clause when click-through functionality is in place.

Why is Coverity giving the results away?

Coverity Scan began in collaboration with Stanford University. It started under a contract with the Department of Homeland Security to harden open source software which provides critical infrastructure for the Internet.

The result has been overwhelming. With over 6,000 defects fixed in the first year - averaging over 16 fixes every day of the year, recognition of benefits from the Scan results has been growing steadily. Requests for access to the results and inclusion of additional projects have shown that the open source community recognizes the benefits of the analysis.

In response, Coverity is continuing to fund the Scan beyond the requirements of the DHS contract, which expired in 2009. New projects will continue to be given access to their analysis results on an ongoing basis (time and resources permitting).

How is the Department of Homeland Security involved?

Coverity Scan started under a contract with DHS to harden open source software.

The National Cyberspace Strategy document details their priorities to:

  • Identify and Remediate Existing Vulnerabilities
  • Develop Systems with Fewer Vulnerabilities and Assess Emerging Technologies for Vulnerabilities

Those priorities include sub-elements to:

  • Secure the Mechanisms of the Internet
  • Improve the Security and Resilience of Key Internet Protocols
  • Reduce and Remediate Software Vulnerabilities
  • Assess and Secure Emerging Systems

DHS had no day-to-day involvement in the Scan project, and the three year contract was completed in 2009.

What is static analysis?

Static analysis is a set of processes for finding source code flaws.

In static analysis, the code under examination is not executed. As a result, test cases and specially designed input datasets are not required. Examination for defects is not limited to the lines of code that are run during some number of executions of the program, but can include all lines of code in the codebase.

Additionally, Coverity's implementation of static analysis can follow all the possible paths of execution through source code including interprocedurally and find defects caused by the conjunction of statements that are not errors independent of each other.

What types of issues does the tool find?

Some examples of the defects include:

  • resources leaks
  • dereferences of NULL pointers
  • incorrect usage of APIs
  • use of uninitialized data
  • memory corruptions
  • buffer overruns
  • control flow issues
  • error handling issues
  • incorrect expressions
  • concurrency issues
  • insecure data handling
  • unsafe use of signed values
  • use of resources that have been freed

The consequences of each type of defect are dependent on the specific instance. For example, unsafe use of signed values may cause crashes, lead to unexpected behavior, or lead to an exploitable security vulnerability.

How can I get this tool for use on my non-open-source codebase?

There is more information available at Coverity.com, or you can contact the sales department at sales@coverity.com.