Presentation is loading. Please wait.

Presentation is loading. Please wait.

BY: TIM BIGGIN Static Code Analysis. Overview What Static Code Analysis Does Why Should You Use It? How is it Used? Types of Static Code Analysis Benefits.

Similar presentations

Presentation on theme: "BY: TIM BIGGIN Static Code Analysis. Overview What Static Code Analysis Does Why Should You Use It? How is it Used? Types of Static Code Analysis Benefits."— Presentation transcript:

1 BY: TIM BIGGIN Static Code Analysis

2 Overview What Static Code Analysis Does Why Should You Use It? How is it Used? Types of Static Code Analysis Benefits of Static Code Analysis Drawbacks of Static Code Analysis Coding Standardization Integration Tips Comparing Tools and Examples

3 What Static Code Analysis Does Definition: a method of detecting errors and defects located in the source code of a program without execution. Tools are used to analyze code and locate issues Can be used to make code conform to company style such as indents, spaces, tabs, and standards Produce metrics indicative of code quality (KLoC, file counts, “churn”)

4 What Static Code Analysis Does Tools are automated and analyze 100% of source code without compilation, test cases, or execution Detect errors in boundary conditions, security, logic, and others Advanced tools can be used to mathematically prove the absence of certain run-time errors Static analysis tools can be used to automate much of the code review process Provide a documented list of discovered issues (e.g. description/file/line number) after analysis

5 Why Should You Use it? It will increase the likelihood of detecting safety and quality problems earlier Static code analyzers detect errors early in the coding stage, where they are more cost effective to fix Useful during maintenance of legacy code, such as locating unchecked NULL pointers Image retrieved from:

6 Why Should You Use it? Can be more efficient than code reviews or pair programming and consume far less time and resources Help catch subtle issues such as overflows that may be missed by compilers or programmers, which could result in fatal errors Points out unclear code that may be confusing to programmers Can verify all possible execution paths that other methods fail to cover

7 Why Should You Use it? Static analysis can be applied directly to incomplete or incorrect code, without the need for compilation Likewise, it can be implemented long before the development of test cases As a result of early detection, static analysis can lead to reductions in time and costs and increases in revenue

8 How is it Used? Education Porting Locating Suspicious Code Code Refactoring Detecting Coding Errors

9 Education It can help new employees adjust to company standards and style Check work done by a novice programmer in an organization Assist professors when grading multiple students’ work and point out areas that need improving

10 Porting Porting software is a major job, especially when it’s not originally planned Hard to know what issues you will encounter when changing platforms Static code analyzers can locate dangerous code fragments, telling you what to modify

11 Locating Suspicious Code Aids in locating backdoors in outsourced or third party code Locating these issues can prevent security breaches Can also help when using open-source libraries by determining which has the fewest bugs and safest to use

12 Code Refactoring Helps with code refactoring by pointing out areas that should be rewritten Locates large functions, overuse of global data, and complicated class hierarchies Addressing these issues early prevents them from causing structural issues later

13 Detecting Coding Errors Can be run after code compilation which alerts programmers of possible issues Formal methods can be used to prove the absence of certain runtime errors (e.g. memory leaks) Develop cleaner more stable builds yielding a quality product

14 Types of Static Analysis Code Reviews  Locating Vulnerabilities  Downsides Automated Tools  Common Tools  Formal Methods Tools

15 Code Review Definition: reviewing source code in teams to reveal defects in other teammates’ code People are assigned to the positions of moderator, designer, coder and tester Easier to locate errors in others’ code Offers teams a better understanding of code after a review Detects similar issues as static analysis tools, such as meeting coding standards

16 Locating Vulnerabilities Detects backdoors, locates malicious functions and ensures removal of testing functions Locates malicious logging of personal data by examining logging functions Ensures proper methods of cryptography, unlike DES, MD5, or SHA1 Can trace data from source to destination, locating where a vulnerability is likely to occur

17 Downsides Teams must be gathered at regular times to perform the review A checklist must be created prior to the review Must allow for scheduled breaks to ensure reviewers don’t grow tired and lose focus A re-review will most likely be required after issues have been corrected Reviews rely solely on the expertise of the reviewers

18 Automated Tools The majority of static code analysis falls under this category Tools have varying degrees of detection abilities Common tools allow for probable error detection, as well as meeting style and standards Advanced tools can be used to prove the absence of run-time errors

19 Common Tools Automate much of the code review process These tools locate potential and actual errors, but do not guarantee the absence of issues Use methods of heuristics and statistics to locate errors Although they find errors, they may introduce false- positives and false-negatives False-positive: reliable code identified as erroneous

20 Common Tools False-negative: erroneous code is missed Decrease the probability of false-negatives and increase the probability of false-positives

21 Formal Methods Tools Usually used in critical systems and medical software development where safety is vital Use mathematical concepts to find and prove the absence of run-time errors Tools use what is called abstract interpretation These rules can be used to prove absence of uninitialized variables, overflows/underflows, divide-by-zero and out-of-bounds pointers

22 Formal Methods Tools Locate possible run-time errors and attempt to prove they will fail Code is classified as proven, failed, unreachable, or unproven for each operation Example from Polyspace analysis on next slide

23 Formal Methods Tools Image retrieved from: code-analysis?page=2

24 Formal Methods Tools Reduces possibility of false-negatives Simplifies debugging process by locating source of run-time errors Can be vital for improving the quality of embedded, high-integrity, or critical systems software Save time and money by eliminating defects when they are most cost effective

25 Benefits of Static Code Analysis Main benefit: reduces cost of fixing defects by detecting them early in the life cycle Early bug detection cuts time spent in development and maintenance Allows for the product to come to the market sooner and stay longer Easily detects effects of the “copy and paste method” saving time from trying to manually locate all copies

26 Benefits of Static Code Analysis Tools offer full code coverage testing Discovers defects in rarely used code other methods miss Tools are not dependent on compiler or project environment Locates defects in exception handling and logging

27 Drawbacks of Static Code Analysis Added probability of false negatives and positives False-negatives create a false sense of security and allow bugs into the release False-positives can delay the release and create unneeded work Common static analysis tools cannot detect conditional errors

28 Drawbacks of Static Code Analysis Integration of tools into development cycle Tools change the way people work Must become part of the organization’s culture Require investments in education and time to learn/use the tools Very hard to integrate on legacy code Time and budget restrictions

29 Coding Standardization CERT: Computer Emergency Readiness Team  Researched internet weaknesses, frequent programming errors  Created coding standards to combat these  Accumulated findings into CERT C/C++ Secure Code Standard MIRSA: Motor Industry Software Reliability Association  Developed guidelines for critical systems  Dealt with automotive industry, including aerospace  Guidelines cover C and C++ Many tools have upgraded to meet both of these

30 Integration Tips Analysis of legacy code can reveal thousands of issues Have a plan to deal with uncovered issues May choose to hide issues form developers until they can be reviewed and remedied Focus on preventing new issues Do frequent build analyses to ensure issues are being handled by developers

31 Integration Tips Create subject matter experts (SMEs)  Learn and service tools  Educate developers  Identifying false-positives  Assigned to each product  Should be experts on their tool  Integrate tools into daily work of developers

32 Comparing Tools Don’t base decision on number of rules, all may not pertain to your system Don’t decide based on number of system specific rules Compare number of errors detected on a set of projects Features: quality and security checking, standards, cost, licenses, integration process, etc Single or multiple language tool

33 Comparing Tools Usability of tool E.g. Visual Studio vs. PVS-Studio  Duplicate warnings filters  Saving results  Hide and reveal errors  Filtering on keywords  Both have equal detection of errors

34 IntelliJ IDEA IDE Features  Finds probable bugs  Locates dead code Tool Examples Images retrieved from:

35 Tool Examples  Detects performance issues  Improves code structure and maintainability  Conforms code to guidelines and standards  Conforms to specifications (EJB, JSP, JSF, etc.) Images retrieved from:

36 Run Example Visual Studio Static Code Analysis  Right-Click on the project in Solution Explorer  Properties  Code Analysis  Select Microsoft All Rules rule set in the dropdown box  File  Save

37 Run Example

38  To run analysis: Right-click on the project in the Solution Explorer  Run Code Analysis, or, Analyze Menu  Run Code Analysis for (project)  Violations will be shown as Warnings in the Error List window

39 Run Example Configuration  Right-click on the project in Solution Explorer  Properties  Code Analysis  Configuration lists potential configurations including: Debug, Release and All Configurations  Platform lists different platforms which the code can be compiled on, such as x86 and x64  Each combination can have its own code analysis configuration.  Enable Code Analysis on Build checkbox: analysis will occur whenever the code is compiled.  Suppress results from generated code checkbox

40 Run Example  Rule Sets dropdown menu Rule Sets  After choosing a rule set, Open gives a detailed description of the rules in the set  Groups or individual rules can be check/unchecked  Change Action: Error, Warning, None  Create custom rule sets: File  Save As. Will be added to menu

41 Conclusion Static analysis can be a valuable tool in error detection in the process of software development Have various uses within organizations Numerous types, advantages, and features Great for enforcing code standards Although integration may be challenging, they provide substantial cost and time savings Comes down to which tool is the best fit for you

42 References [1] Abraham, J. (2012, June 6). Using formal methods for sophisticated static code analysis. Retrieved June 25, 2012, from EE Times: embedded/ /Using-formal-methods-for-sophisticated-static-code-analysis [2] Carmack, J. (2011, December 27). In-Depth: Static Code Analysis. Retrieved June 25, 2012, from Gamasutra: _Static_Code_ Analysis.php [3] Gousset, M. (2010, April 27). Static Code Analysis Configuration. Retrieved June 27, 2012, from Visual Studio Magazine: 2010/04/27/static-code-analysis-configuration.aspx [4] Gousset, M. (2010, March 25). Static Code Analysis in VS2010. Retrieved June 25, 2012, from Visual Studio Magazine: 2010/03/25/working-with-static-code-analysis.aspx [5] JetBrains, Inc. (n.d.). Static Code Analysis. Retrieved June 25, 2012, from JetBrains: [6] Jones, P., Jetley, R., & Abraham, J. (2010, February 9). A Formal Methods-based verification approach to medical device software analysis. Retrieved June 27, 2012, from EE Times: based-verification-approach-to-medical-device-software-analysis [7] Karpov, A. (2010, December 27). Cases When a Static Code Analyzer may Help You. Retrieved June 25, 2012, from The Code Project: Articles/ /Cases-When-a-Static-Code-Analyzer-may-Help-You

43 References [8] Karpov, A. (2012, March 12). Static code analysis. Retrieved June 25, 2012, from [9] Karpov, A., & Ryzhkov, E. (2011, March 31). Difficulties of comparing code analyzers, or don't forget about usability. Retrieved June 28, 20120, from viva65: en/a/0071/ [10] Pitchford, M. (2011, March 1). Think static analysis cures all ills? Think again. Retrieved June 25, 2012, from EE Times: embedded/ /Think-static-analysis-cures-all-ills--Think-again- [11] Shetti, V. (2010, August). Why Static Analysis? Retrieved June 25, 2012, from Palizine: [12] Sidner, S. (2010, April 24). When Quality, Security Count. Retrieved June 25, 2012, from Dr. Dobb's: tools/ [13] Vink, G. (2010). Static Code Analysis (SCA) Standardization Efforts & Integration in the Software Development Flow. Retrieved June 25, 2012, from Tasking: [14] Yocum, C. (2011, May 14). An introduction to static code analysis: What, why and how. Retrieved June 25, 2012, from The Register: static_code_analysis_101/

Download ppt "BY: TIM BIGGIN Static Code Analysis. Overview What Static Code Analysis Does Why Should You Use It? How is it Used? Types of Static Code Analysis Benefits."

Similar presentations

Ads by Google