Synopsys Helps NGINX Ensure Code Quality and Security with Coverity Scan

Synopsys has been named a leader in the Forrester Wave™ report "Static Application Security Testing, Q1 2021". In this evaluation, Synopsys' Coverity static analysis solution received the highest score in the "Existing Products" category and was ranked in the top three in the "Strategy" category. Over the years, many enterprises and organizations around the world have adopted Coverity to reduce security risks, ensure application flexibility, and quickly deliver new features to market. NGINX is one of them.

Background on NGINX

NGINX open source (pronounced "engine x") is one of the most widespread web servers in the world, powering sites such as Netflix, Hulu, Pinterest and GitHub, and is widely praised for its high performance, stability, rich feature set, simple configuration and low resource consumption. Other members of the NGINX open source family include NGINX JavaScript (njs), a module that adds JavaScript support to NGINX; NGINX Unit, a dynamic application server that supports applications written in Perl, Python, Ruby, Node. Js, Go, Java and PHP.njs.

Developers on all three NGINX open source projects use Synopsys Coverity Scan® to find and fix defects in their code. Available as a free online service from Synopsys and powered by the same engine used in Synopsys' commercial Coverity static analysis tool, Scan helps open source developers identify code defects for quick and easy remediation.

“I’m a big believer in the power of open source,” Igor Sysoev, the author and co-founder of NGINX software, said in a 2014 interview. “NGINX was an experiment in a very specific problem: how to handle more customers on a single existing server. It turned out to be a universal problem. When I realized that NGINX really helps improve web performance, I wanted people to use it, so I made it open source.”

NGINX open source version can also be used as a web server for reverse proxy, load balancer, mail proxy and HTTP cache, powering more than 400 million websites, including brands such as Netflix, Hulu, Pinterest and GitHub. Igor Sysoev co-founded NGINX with partners in 2011 to provide official support for NGINX open source and to provide a commercial version, NGINX Plus, which adds enterprise-level features to NGINX open source.

In 2019, NGINX was acquired by application security and delivery company F5 Networks. Today, the NGINX family of open source projects includes njs (a module that adds JavaScript support to NGINX) and NGINX Unit (a dynamic application server).

Challenge: Ensuring the quality and security of open source code

“We integrated Coverity Scan into our CI/CD process shortly after we founded NGINX,” said Maxim Konovalov, co-founder and vice president of engineering at NGINX. “We have been submitting NGINX build artifacts every day since 2012.”

Maxim Konovalov continued, “NGINX acts as a front end to the internet in many cases, and its security and stability are critical to its users. My team is very passionate about code quality and is always looking for best practices and tools to improve it. Static code analysis tools like Coverity Scan are a great help to us.”

NGINX regards the company as the foundational technology for millions of applications and websites and holds itself to high standards. Code quality and security are part of the NGINX ethos. Effective tools are essential for development practices.

Solution: Use Coverity Scan for static code analysis

People often think that most software vulnerabilities are caused by malicious attacks, but in fact, this is not the case. This is mainly caused by code errors. The 2020 annual security report "2020 State of the Octoverse" released by GitHub shows that 83% of the vulnerabilities that GitHub sent alerts from 2019 to 2020 were caused by coding errors, not malicious attacks.

But malicious attacks do exploit flaws in code, and developers need to use active detection tools to find errors in the code they write. Static analysis checks source code against a set of coding rules to find common coding errors. The service is free to open source developers who have registered their projects at scan.coverity.com and is based on the same engine used by Synopsys' commercial Coverity static analysis tool, which helps open source developers identify code defects for quick and easy remediation. The Linux Foundation noted in a 2020 report on open source contributors that respondents "overwhelmingly cited Coverity Scan and Clang security checker" as their primary static analysis tools.

Results: 658,000 lines of code scanned, defect density 0.02%

In January 2021, Coverity Scan analyzed 658,665 lines of code for NGINX and found a variety of code defects, including two CWE Top 25 defects. Because F5 Networks regularly uses Coverity Scan, the defect density (number of defects per 1,000 lines of code) for the NGINX project is only 0.02%.

Maxim Konovalov praised: "Coverity Scan adds value for us. I often recommend Coverity Scan and its ability to provide specific defect IDs in code submissions. In fact, I am a member of the FreeBSD committer group and we also use Coverity Scan for FreeBSD code analysis."