Coverity is a tool to find security problems in code through static analysis. I’m sure it is a fine tool. There is a company behind it, Coverity Inc., and they run the tool on free software. A service like that seems like a good thing. Alas, the details of how
scan.coverity.com imply that it is a bad idea for free software supporters to use the service. Here are the mistakes they made:
- There is no notification to the project maintainer that they found problems in the code.
- The problems they have found are not available publicly. (This _may_ be desirable, in case the problems they find are exploitable.)
- They require that any maintainer who wish to review the problems enter into a license agreement with Coverity, Inc. The license is very biased, and all the advantages are with the company, and none with the developer. Further, they can change the license at any time, and you are (presumably) forced to follow it anyway. (Read below for a copy of the license.)
This sends the message that the site is just advertisement for their commercial proprietary products and services. Possibly it could be even worse, it can be seen as a bargaining a’la “Your software is insecure, agree to our evil license and we’ll tell you how to fix it”.
Therefor I suggest that all free software maintainers boycott the scan.coverity.com service until they get their act together.
A reasonable way to change their service to something more acceptable, and potentially even turn it into a positive contribution to the community, would be to send the list of problems to the official bug maintainer address of each project.
In case they decide to alter the license, I’m including the current license for future reference.
Scan Developer License
Version 1.0 - March 6th, 2007
Scan.Coverity.com Terms of Service - General terms and conditions
Although we may attempt to notify you via your email address and via your project mailing list when major changes are made, you should visit this page periodically to review the terms. Coverity may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions. If you do not accept and abide by this Agreement, you may not use the Scan.Coverity.com developer service. Nothing in this Agreement shall be deemed to confer any third party rights or benefits.
1. Description of Service. Scan.Coverity.com is a source code analysis service provided by Coverity (the "Service"). You understand and agree that the Service may include data which is part of Coverity's proprietary intellectual property, including the documentation, user interface and capabilities for its Prevent source code analysis product. Coverity disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. Coverity also reserves the right to modify, suspend or discontinue the Service with or without notice at any time and without any liability to you.
2. Intellectual Property Rights. Coverity's Intellectual Property Rights. You acknowledge that Coverity owns all right, title and interest in and to the Service, including without limitation all intellectual property rights (the "Coverity Rights"), and such Coverity Rights are protected by U.S. and international intellectual property laws. Accordingly, you agree that you will not copy, reproduce, alter, modify, or create derivative works from the Service. You also agree that you will not use any robot, spider, other automated device, or manual process to monitor or copy any content from the Service without prior approval from Coverity. The Coverity Rights include rights to (i) the Service developed and provided by Coverity; and (ii) all software operating the Service. The Coverity Rights do not include third-party software analyzed as part of Service.
3. Competition. Coverity's Intellectual Property may include elements that would assist competitors in creating or improving products competitive to Coverity's tools. You agree that by accepting access to the Service you commit not to distribute or share details of the service or its analysis with any entity without prior authorization from Coverity. This commitment does not restrict the implicit revelation of defect details by committing corrections to the source code under test. This agreement does not ask the user to commit to not compete on behalf of their employer(s), and only asks that the User make reasonable effort to avoid using Coverity's Intellectual Property in creation of a competing product.
4. Publicity. Any use of Coverity's trade names, trademarks, service marks, logos, domain names, and other distinctive brand features ("Brand Features") must be in compliance with current Brand Feature use guidelines. Use of Coverity's name is always acceptable for identifying the instigator of a code improvement.