Mozilla Using Coverity to Scan Mozilla Source Code for Defects
Sunday August 13th, 2006
According to CNET News.com, Monday will see the Mozilla Foundation and Coverity jointly announce that Coverity tools are being used to scan Mozilla source code for defects. The report quotes Coverity chief technology officer Ben Chelf, who says that the Mozilla Foundation licensed Coverity Prevent, an application that analyses software code for bugs, early last year. The deal was not announced at the time because the Mozilla Foundation wanted to ensure the Coverity product actually got results before going public. Although no official announcement has been made yet, the Mozilla Foundation has not attempted to hide its use of Coverity. Brendan Eich first discussed using Coverity to scan Mozilla source code in January 2005 and indicated that the Mozilla Foundation had made contact with the vendor in the fourth quarter of 2004. Coverity has been mentioned in hundreds of Bugzilla bug reports and a Bugzilla keyword has existed to tag bugs found with the company's tools since last year. Henrik Gemal wrote a weblog post about Mozilla's use of Coverity in May this year. In January, the US Department of Homeland Security gave Coverity, Stanford University and Symantec $1.24 million to search for security bugs in dozens of open-source software projects, including Mozilla Firefox and Mozilla Thunderbird (News.com's report on the DHS open source security initiative has more details about the three-year programme). According to scan.coverity.com, 298 Firefox security bugs have been discovered and fixed as a result of the project since March 6th. It is not immediately clear how the Mozilla Foundation's own use of Coverity relates to the DHS initiative.
#2 Not immediately clear...
Monday August 21st, 2006 10:07 AM
You are replying to this message
"It is not immediately clear how the Mozilla Foundation's own use of Coverity relates to the DHS initiative."
Don't suppose there any chance of someone at Mozilla clarifying if there is any connection between the two, or if the DHS is just doing their own thing independently?