When engineering any kind of system, checking for and fixing errors early and often significantly reduces the amount of downstream work added to the project. In the world of software engineering, there are a few methods for ensuring that applications function as expected. Static analysis is the simplest and most effective activity software engineers can perform to prevent defects, while accelerating application delivery.
What is Static Code Analysis?
Static code analysis (or static analysis) is a development testing activity in which the code is analyzed for constructions known to be associated with software errors. When a high-risk construction is detected, the static analysis tool reports a violation. There are several types of static analysis.
Pattern-based Static Analysis
In its simplest form, a static analysis tool scans the code and checks it against one or more sets of rules. For example, engineers sometimes make the mistake of using the string "\0" when the null character '\0' is actually intended. This mistake may result in memory corruption and cause the program to crash. A static analysis tool would look for these patterns in the code and report them as possible errors. This kind of static analysis is known as pattern-based static analysis.
Flow analysis, sometimes called dynamic analysis, is slightly different. This type of code analysis checks for problematic constructions against a set of rules, but flow analysis tools also simulate decision paths to dig deeper into the application and root out hard to find defects, such as null pointer dereferences and buffer overflows.
Additional Analysis Types
There are other types of static analysis that achieve different types of goals. For example, metrics analysis tools measure code characteristics, such as lines of code and complexity. Coverage analysis tools track unit and application tests to enable a better understanding of how well the code is tested. When used together as part of an automated development testing process, these types of analysis provide significant visibility into the safety, security, and reliability of the application.
Risks of Failing to Run Static Analysis
Software is becoming more complex and ubiquitous. For example, automotive systems in the early days were purely mechanical, but today the average automobile may contain over 1,000 code-executing MCUs. That much electronic surface area, especially in safety-critical applications, such as automotive, medical devices, or avionics, demands defect-free code.
The good news is that there are several organizations, such as OWASP and MITRE, that research and publish programming best practices. Industry-specific standards organizations (such as MISRA, which focuses on automotive software), also publish best practices that are often required by regulatory bodies. The best practices are codified into static analysis tools as rules.
Each static analysis vendor has their own method for implementing programming standards while claiming that their method “finds more bugs.” While there are differences between enterprise-grade and free static analysis tools, there is little meaningful variance in results. Performance, support resources, integration capabilities, depth and breadth of reporting, additional features (such as integrated unit testing), and environment support are some of the more meaningful criteria for choosing a static analysis vendor—not how many “bugs” they claim to find.
From a business perspective, failing to check your work with at least one static analysis tool significantly raises the risk of deploying or releasing your applications. Defects can lead to exploitable code that malicious hackers can use to crash the system, expose sensitive data, etc. In the case of safety-critical software, the consequences can be far more serious.
Benefits of Automated Static Analysis
Running static analysis on the desktop is akin to running the spellchecker in a word processing program. This may be acceptable for small projects, but in large organizations, static analysis should be automated as part of the nightly build or upon code check-in. When implemented as part of the development process, static analysis provides a number of benefits.
Faster Development Cycle
The key is to consistently run static analysis from the early stages of the project. This enables you to find and fix systemic defects when the cost of remediation is at its lowest. The process may initially take more time than rapidly developing the software without running analysis, but the gains in efficiency are exponential over the development lifecycle.
Some static analysis tools also include descriptive documentation about the programming standard being implemented, which extends software engineers’ programming knowledge and professional development. Over time, good programming is automatically observed. If your static analysis tool is part of a larger development testing platform that can automatically prioritize defect remediation tasks, then you’ll be able to deliver the software even faster.
Lower Defect Rate
Static analysis helps you find and fix defects early, which can prevent the recurrence of systemic defects downstream. Some static analysis tools not only report static analysis violations, but also integrate with development testing platforms that can help you understand where all the instances of the reported defect occur. With a policy of early detection, you can more easily implement a policy of defect prevention, which reduces the rate of defects over the development lifecycle.
The term “DevOps” is often used to describe a collection of practices that facilitate the cross-departmental collaboration and communication necessary to help organizations optimize and accelerate their development processes. By sharing knowledge and tasks across departments, organizations create an efficient process for accelerating the SDLC while improving quality processes. For this approach to be effective, however, an automated feedback loop must be implemented that enables the consistent application of quality policies as requirements progress from creation to production.
Automated static analysis is not only the mechanism for the feedback loop, it also generates the data other departments need to collaborate effectively under the DevOps model. Especially when used with unit and regression testing, static analysis serves a few roles:
- Ensures code quality
- Provides the big data required to improve the development process
- Facilitates the machinations of the DevOps automated feedback loop
As a result, static analysis becomes an agent for continuous, automated process improvement. It provides a means for examining defects detected during release or QA to determine if there is a way to harden code and eliminate the possibility of these defects occurring again.