When engineering any kind of system, checking for and fixing errors early and often significantly reduces the amount of downstream work added to the project. In the world of software engineering, there are a few methods for ensuring that applications function as expected. Static analysis is the simplest and most effective activity software engineers can perform to prevent defects, while accelerating application delivery.
What is Static Code Analysis?
Static code analysis (or static analysis) is a development testing activity in which the code is analyzed for constructions known to be associated with software errors. When a high-risk construction is detected, the static analysis tool reports a violation. There are several types of static analysis.
Pattern-based Static Analysis
In its simplest form, a static analysis tool scans the code and checks it against one or more sets of rules. For example, engineers sometimes make the mistake of using the string "\0" when the null character '\0' is actually intended. This mistake may result in memory corruption and cause the program to crash. A static analysis tool would look for these patterns in the code and report them as possible errors. This kind of static analysis is known as pattern-based static analysis.
Flow analysis, sometimes called dynamic analysis, is slightly different. This type of code analysis checks for problematic constructions against a set of rules, but flow analysis tools also simulate decision paths to dig deeper into the application and root out hard to find defects, such as null pointer dereferences and buffer overflows.
Additional Analysis Types
There are other types of static analysis that achieve different types of goals. For example, metrics analysis tools measure code characteristics, such as lines of code and complexity. Coverage analysis tools track unit and application tests to enable a better understanding of how well the code is tested. When used together as part of an automated development testing process, these types of analysis provide significant visibility into the safety, security, and reliability of the application.
Risks of Failing to Run Static Analysis
Software is becoming more complex and ubiquitous. For example, automotive systems in the early days were purely mechanical, but today the average automobile may contain over 1000 code-executing MCUs. That much electronic surface area, especially in safety-critical applications, such as automotive, medical devices, or avionics, demands defect-free code.
The good news is that there are several organizations, such as OWASP and MITRE, that research and publish programming best practices. Industry-specific standards organizations (such as MISRA, which focuses on automotive software), also publish best practices that are often required by regulatory bodies. The best practices are codified into static analysis tools as rules.
Each static analysis vendor has their own method for implementing programming standards while claiming that their method “finds more bugs.” While there are differences between enterprise-grade and free static analysis tools, there is little meaningful variance in results. Performance, support resources, integration capabilities, depth and breadth of reporting, additional features (such as integrated unit testing), and environment support are some of the more meaningful criteria for choosing a static analysis vendor—not how many “bugs” they claim to find.
From a business perspective, failing to check your work with at least one static analysis tool significantly raises the risk of deploying or releasing your applications. Defects can lead to exploitable code that malicious hackers can use to crash the system, expose sensitive data, etc. In the case of safety-critical software, the consequences can be far more serious.
Benefits of Automated Static Analysis
Running static analysis on the desktop is akin to running the spellchecker in a word processing program. This may be acceptable for small projects, but in large organizations, static analysis should be automated as part of the nightly build or upon code check-in. When implemented as part of the development process, static analysis provides a number of benefits.
Faster Development Cycle
The key is to consistently run static analysis from the early stages of the project. This enables you to find and fix systemic defects when the cost of remediation is at its lowest. The process may initially take more time than rapidly developing the software without running analysis, but the gains in efficiency are exponential over the development lifecycle.
Some static analysis tools also include descriptive documentation about the programming standard being implemented, which extends software engineers’ programming knowledge and professional development. Over time, good programming is automatically observed. If your static analysis tool is part of a larger development testing platform that can automatically prioritize defect remediation tasks, then you’ll be able to deliver the software even faster.
Lower Defect Rate
Static analysis helps you find and fix defects early, which can prevent the recurrence of systemic defects downstream. Some static analysis tools not only report static analysis violations, but also integrate with development testing platforms that can help you understand where all the instances of the reported defect occur. With a policy of early detection, you can more easily implement a policy of defect prevention, which reduces the rate of defects over the development lifecycle.
The term “DevOps” is often used to describe a collection of practices that facilitate the cross-departmental collaboration and communication necessary to help organizations optimize and accelerate their development processes. By sharing knowledge and tasks across departments, organizations create an efficient process for accelerating the SDLC while improving quality processes. For this approach to be effective, however, an automated feedback loop must be implemented that enables the consistent application of quality policies as requirements progress from creation to production.
Automated static analysis is not only the mechanism for the feedback loop, it also generates the data other departments need to collaborate effectively under the DevOps model. Especially when used with unit and regression testing, static analysis serves a few roles:
- Ensures code quality
- Provides the big data required to improve the development process
- Facilitates the machinations of the DevOps automated feedback loop
About Parasoft’s Static Analysis Solution
The C/C++test static analysis rule set is based on implementations of MISRA, MISRA C++, FDA, Scott Meyers’ Effective C++, Effective STL, and other established sources. You can also create your own custom rules using the Rule Wizard GUI. You can analyze code with C/C++test on the desktop, but integrating static analysis into your automated builds enables you to prevent defects continuously and automatically.
You can also connect C/C++test to Parasoft Development Testing Platform (DTP), which is an advanced analytics system that consistently applies your development policy to automatically enforce non-functional requirements. In this use case, static analysis is automatically executed during the build, violations are reported to DTP, where they are processed, and results are sent back to the engineer’s IDE for remediation.
During the processing phase, DTP uses the data to look for systemic issues associated with the programming process. For instance, DTP can correlate a severe violation in code produced by a junior engineer with a set of unit tests and coverage information to determine how much risk is associated with the module. If the correlation points to a risk level above a specific threshold, then the violation may trigger a specific continuous process improvement workflow that involves peer code review and additional analysis, in addition to the normal defect remediation tasks.
Learn more about Parasoft C/C++test
Static code analysis is an important part of ensuring that applications function as expected. It not only improves the overall development team velocity, but also reduces risks associated with releasing potentially dangerous software. While some analysis is always better than no analysis, static analysis should be integrated into a development testing infrastructure to maximize the effectiveness of the practice. Parasoft offers an enterprise-grade code analysis and testing suite in C/C++test, as well as an advanced analytics and reporting system in Development Testing Platform. Combining both technologies enables software engineering teams to accelerate software delivery, while ensuring that their applications function as expected.