Code quality analysis of OpenVAS modules with trends
The OpenVAS developer team is very much concerned with source code quality. This page summarizes analysis of the quality as a base for planning improvements strategies. Note, that simple counter heuristics are only one element of a quality strategy.
Applied tools:
- flawfinder 1.26 by David Wheeler.
- RATS 2.0:
rats . | grep "High:" | wc -l
rats . | grep "Medium:" | wc -l - gcc -Wall (gcc 4.1.2, Intel P4):
$ make 2>&1 | grep "warning:" | wc -l
Furthermore, some information (e.g. code/comment ratio) can be found on the ohloh page of OpenVAS.
Note: You should make yourself familiar with the applied tools especially before interpreting the absolute numbers. The trends of the numbers give a first impression, but for deeper understanding you should read more about the applied methods as well.
openvas-libraries
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 13909 | 484 | not analyzed | 37 |
| 0.9.1 | 13853 | 483 | not analyzed | 20 |
| 1.0.0 | 13755 | 476 | not analyzed | 10 |
| 1.0.1 | 11729 | 380 | 114/27 | 3 |
| 1.0.2 | 11752 | 377 | 114/27 | 3 |
| 1.0.3 | 11898 | 375 | 114/27 | 3 |
| 2.0-beta1 | 11819 | 376 | 102/27 | 3 |
| 2.0-beta2 | 11200 | 368 | 93/26 | 3 |
| 2.0-rc1 | 11254 | 317 | 84/13 | 3 |
| 2.0.0 | 11255 | 311 | 84/13 | 3 |
| 2.0.1 | 11248 | 295 | 76/13 | 3 |
| 2.0.2 | 11384 | 295 | 76/13 | 3 |
| 2.0.3 | 12401 | 305 | 76/13 | 3 |
| 2.0.4 | 12597 | 304 | 76/13 | 4 |
| openvas-libnasl merged into openvas-libraries. Now, flawfinder 1.27 is used. New libraries "omp" and "base" were added. | ||||
| 3.1.0 | 62263 | 825 | 203/33 | 10 |
openvas-scanner
openvas-scanner is the successor of openvas-server. All C modules of openvas-plugins as well as management scripts of openvas-plugins were integrated here. flawfinder 1.27 was applied.
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 3.1.0 | 20951 | 605 | 166/25 | n.a. |
openvas-libnasl
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 16034 | 342 | not analyzed | not analyzed |
| 0.9.1 | 16013 | 342 | not analyzed | not analyzed |
| 0.9.2 | 16051 | 343 | not analyzed | not analyzed |
| 1.0.0 | 16052 | 343 | 64/21 | not analyzed |
| 1.0.1 | 16077 | 331 | 62/21 | not analyzed |
| 2.0-beta1 | 16078 | 330 | 61/21 | not analyzed |
| 2.0-beta2 | 16422 | 339 | 62/22 | not analyzed |
| 2.0-rc1 | 16437 | 290 | 61/21 | not analyzed |
| 2.0.0 | 15524 | 265 | 54/15 | not analyzed |
| 2.0.1 | 15525 | 256 | 48/15 | not analyzed |
| 2.0.2 | 15539 | 258 | 48/15 | not analyzed |
openvas-server
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.0 | 10403 | 457 | not analyzed | not analyzed |
| 0.9.1 | 10366 | 457 | not analyzed | not analyzed |
| 0.9.2 | 10366 | 457 | 125/24 | not analyzed |
| 1.0.0 | 10354 | 457 | 125/24 | not analyzed |
| 1.0.1 | 10093 | 433 | 124/21 | not analyzed |
| 1.0.2 | 10087 | 433 | 124/21 | not analyzed |
| 2.0-beta1 | 9536 | 383 | 100/19 | not analyzed |
| 2.0-beta2 | 9384 | 381 | 93/19 | not analyzed |
| 2.0-rc1 | 9527 | 367 | 93/16 | not analyzed |
| 2.0.0 | 9365 | 361 | 93/16 | not analyzed |
| 2.0.1 | 9496 | 333 | 86/16 | not analyzed |
| 2.0.2 | 9809 | 324 | 86/16 | not analyzed |
| 2.0.3 | 9723 | 316 | 86/16 | not analyzed |
openvas-plugins
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.1 | 6904 | 412 | not analyzed | not analyzed |
| 1.0.1 | 6904 | 412 | 128/20 | not analyzed |
| 1.0.2 | 6668 | 401 | 126/18 | not analyzed |
| 1.0.3 | 6730 | 375 | 126/18 | not analyzed |
| 1.0.4 | 6384 | 375 | 126/16 | not analyzed |
| 1.0.5 | 6300 | 374 | 125/16 | not analyzed |
| 1.0.6 | 6005 | 303 | 104/12 | not analyzed |
| 1.0.7 | 6005 | 303 | 106/12 | not analyzed |
OpenVAS-Client
| Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|
| 0.9.1 | 51695 | 868 | not analyzed | 23 |
| 1.0.0 | 51679 | 867 | not analyzed | 23 |
| 1.0.1 | 51648 | 862 | not analyzed | 23 |
| 1.0.2 | 51648 | 862 | not analyzed | 23 |
| 1.0.3 | 51291 | 837 | 251/55 | 14 |
| 1.0.4 | 50067 | 794 | 221/55 | 22 |
| 1.0.5 | 50173 | 794 | 221/55 | 22 |
| 2.0-beta1 | 27266 | 677 | 176/47 | 13 |
| 2.0-beta2 | 27590 | 691 | 169/47 | 6 |
| 2.0-rc1 | 26983 | 659 | 164/45 | 6 |
| 2.0.0 | 26671 | 606 | 158/45 | 2 |
| 2.0.1 | 26672 | 606 | 158/45 | 2 |
| 2.0.2 | 28795 | 599 | 154/44 | 2 |
| 2.0.3 | 29192 | 562 | 144/44 | 2 |
| 2.0.4 | 30207 | 560 | 133/43 | 2 |
| 2.0.5 | 30594 | 532 | 133/43 | 2 |
| Now, flawfinder 1.27 is used. | ||||
| 3.0.1 | 42842 | 481 | 98/32 | n.a. |
How the numbers have been assembled
The actual commands (currently except for RATS) to assemble all the numbers are collected in a shell script "code-analysis.sh" which you can find here.
For comparison: Nessus
This is the analysis of the latest Free Software release of Nessus (Server: 2.2.10, Client: 1.0.2).
Naturally, we do not have any such numbers for the proprietary successors.
| Module | Release | Flawfinder SLOC | Flawfinder Hits | RATS Hi/Med | gcc -Wall |
|---|---|---|---|---|---|
| nessus-libraries | 2.2.10 | 21397 | 710 | not analyzed | 50 |
| libnasl | 2.2.10 | 15836 | 361 | not analyzed | 34 |
| nessus-core | 2.2.10 | 54866 | 1413 | not analyzed | 8 |
| nessus-plugins | 2.2.10 | 4672 | 299 | not analyzed | not analyzed |
| nessus-client | 1.0.2 | 51383 | 864 | not analyzed | 21 |