Code quality analysis of OpenVAS modules with trends
The OpenVAS developer team is very much concerned with source code quality. This page summarizes analysis of the quality as a base for planning improvements strategies. Note, that simple counter heuristics are only one element of a quality strategy.
Applied tools:
- flawfinder 1.26 by David Wheeler.
- RATS 2.0:
rats . | grep "High:" | wc -l
rats . | grep "Medium:" | wc -l - gcc -Wall (gcc 4.1.2, Intel P4):
$ make 2>&1 | grep "warning:" | wc -l
Note: You should make yourself familiar with the applied tools especially before interpreting the absolute numbers. The trends of the numbers give a first impression, but for deeper understanding you should read more about the applied methods as well.
openvas-libraries
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 13909 | 484 | not analyzed | 37 |
| 0.9.1 | 13853 | 483 | not analyzed | 20 |
| 1.0.0 | 13755 | 476 | not analyzed | 10 |
| 1.0.1 | 11729 | 380 | 114/27 | 3 |
| 1.0.2 | 11752 | 377 | 114/27 | 3 |
| 2.0-beta1 | 11819 | 376 | 102/27 | 3 |
openvas-libnasl
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 16034 | 342 | not analyzed | not analyzed |
| 0.9.1 | 16013 | 342 | not analyzed | not analyzed |
| 0.9.2 | 16051 | 343 | not analyzed | not analyzed |
| 1.0.0 | 16052 | 343 | 64/21 | not analyzed |
| 1.0.1 | 16077 | 331 | 62/21 | not analyzed |
| 2.0-beta1 | 16078 | 330 | 61/21 | not analyzed |
openvas-server
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 10403 | 457 | not analyzed | not analyzed |
| 0.9.1 | 10366 | 457 | not analyzed | not analyzed |
| 0.9.2 | 10366 | 457 | 125/24 | not analyzed |
| 1.0.0 | 10354 | 457 | 125/24 | not analyzed |
| 1.0.1 | 10093 | 433 | 124/21 | not analyzed |
| 1.0.2 | 10087 | 433 | 124/21 | not analyzed |
| 2.0-beta1 | 9536 | 383 | 100/19 | not analyzed |
openvas-plugins
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.1 | 6904 | 412 | not analyzed | not analyzed |
| 1.0.1 | 6904 | 412 | 128/20 | not analyzed |
| 1.0.2 | 6668 | 401 | 126/18 | not analyzed |
| 1.0.3 | 6730 | 375 | 126/18 | not analyzed |
OpenVAS-Client
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.1 | 51695 | 868 | not analyzed | 23 |
| 1.0.0 | 51679 | 867 | not analyzed | 23 |
| 1.0.1 | 51648 | 862 | not analyzed | 23 |
| 1.0.2 | 51648 | 862 | not analyzed | 23 |
| 1.0.3 | 51291 | 837 | 251/55 | 14 |
| 1.0.4 | 50067 | 794 | 221/55 | 22 |
| 2.0-beta1 | 27266 | 677 | 176/47 | 13 |
How the numbers have been assembled
The actual commands (currently except for RATS) to assemble all the numbers are collected in a shell script "code-analysis.sh" which you can find here.
For comparison: Nessus
This is the analysis of the latest Free Software release of Nessus (Server: 2.2.10, Client: 1.0.2).
Naturally, we do not have any such numbers for the proprietary successors.
| Module | Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|---|
| nessus-libraries | 2.2.10 | 21397 | 710 | not analyzed | 50 |
| libnasl | 2.2.10 | 15836 | 361 | not analyzed | 34 |
| nessus-core | 2.2.10 | 54866 | 1413 | not analyzed | 8 |
| nessus-plugins | 2.2.10 | 4672 | 299 | not analyzed | not analyzed |
| nessus-client | 1.0.2 | 51383 | 864 | not analyzed | 21 |