by on November 30, 2017

By Andrew Yang

Source code analysis (sometimes called "static analysis") is a technology which analyzes source code for the purpose of detecting defects, understanding architecture, collecting statistics on the software and more.

One of the most prominent commercial uses of static analysis is for defect detection. Vendors like Coverity, Klocwork, Fortify Software and others have sophisticated products that analyze the structure of the code and detect anomalies that can lead to real bugs.

For instance, many of these products can analyze paths in the code to find situations where memory may be allocated but not freed, signaling a potential memory leak. There are many other types of checks that can be performed to detect program crashes, security vulnerabilities, concurrency problems and more just by examining the source code.

Source code analysis appears to be a silver bullet for software quality and security. It doesn't operate at runtime so it requires no test cases. Therefore, you can find interesting problems even before the code is remotely operational.

It also finds problems right in the source code, pointing to the specific line in the code to where the problem exists. It doesn't get much easier to identify and fix problems. By contrast, fixing a bug reported in the field often requires a good testcase and a debugging process to locate the specific problem. It can take days to find and fix a bug.

Of course, source code analysis is not without its challenges, namely that it finds problems by making educated guesses. While the algorithms may be sophisticated, it has no knowledge of artifacts outside of the actual source code, such as assumptions in the environment or code that might be linked in afterwards.

The analysis may simply not have strong enough algorithms to handle strange and complex code. This can lead to false positives " bugs reported by the tool which are not in fact, bugs.

Older static analysis tools were notoriously "noisy", producing thousands of false positives that rendered the tools unusable. Modern source code analysis tools are significantly better but can still generate a lot of noise if not configured properly for the specific code they are analyzing.

In addition, process, organizational, tool chain integration, performance, tool configuration and other such considerations greatly affect the effective use and adoption of source code analysis.

Keep in mind also that source code analysis is designed to find defects in coding. It is a highly useful verification tool in the quality and security arsenal but not a good validation tool. It does not determine that code has met business requirements. Source code analysis helps existing quality practices, such as code review, but does not replace them.


Post in: Business
Be the first person like this