by: tim biggin static code analysis. overview what static code analysis does why should you use it?...
Post on 15-Dec-2015
222 Views
Preview:
TRANSCRIPT
BY: TIM BIGGIN
Static Code Analysis
Overview
What Static Code Analysis DoesWhy Should You Use It?How is it Used?Types of Static Code AnalysisBenefits of Static Code AnalysisDrawbacks of Static Code AnalysisCoding StandardizationIntegration TipsComparing Tools and Examples
What Static Code Analysis Does
Definition: a method of detecting errors and defects located in the source code of a program without execution.
Tools are used to analyze code and locate issues
Can be used to make code conform to company style such as indents, spaces, tabs, and standards
Produce metrics indicative of code quality (KLoC, file counts, “churn”)
What Static Code Analysis Does
Tools are automated and analyze 100% of source code without compilation, test cases, or execution
Detect errors in boundary conditions, security, logic, and others
Advanced tools can be used to mathematically prove the absence of certain run-time errors
Static analysis tools can be used to automate much of the code review process
Provide a documented list of discovered issues (e.g. description/file/line number) after analysis
Why Should You Use it?
It will increase the likelihood of detecting safety and quality problems earlier
Static code analyzers detect errors early in the coding stage, where they are more cost effective to fix
Useful during maintenance of legacy code, such as locating unchecked NULL pointers
Image retrieved from: http://www.cplusplus.com/articles/9E18T05o/
Why Should You Use it?
Can be more efficient than code reviews or pair programming and consume far less time and resources
Help catch subtle issues such as overflows that may be missed by compilers or programmers, which could result in fatal errors
Points out unclear code that may be confusing to programmers
Can verify all possible execution paths that other methods fail to cover
Why Should You Use it?
Static analysis can be applied directly to incomplete or incorrect code, without the need for compilation
Likewise, it can be implemented long before the development of test cases
As a result of early detection, static analysis can lead to reductions in time and costs and increases in revenue
How is it Used?
EducationPortingLocating Suspicious CodeCode RefactoringDetecting Coding Errors
Education
It can help new employees adjust to company standards and style
Check work done by a novice programmer in an organization
Assist professors when grading multiple students’ work and point out areas that need improving
Porting
Porting software is a major job, especially when it’s not originally planned
Hard to know what issues you will encounter when changing platforms
Static code analyzers can locate dangerous code fragments, telling you what to modify
Locating Suspicious Code
Aids in locating backdoors in outsourced or third party code
Locating these issues can prevent security breaches
Can also help when using open-source libraries by determining which has the fewest bugs and safest to use
Code Refactoring
Helps with code refactoring by pointing out areas that should be rewritten
Locates large functions, overuse of global data, and complicated class hierarchies
Addressing these issues early prevents them from causing structural issues later
Detecting Coding Errors
Can be run after code compilation which alerts programmers of possible issues
Formal methods can be used to prove the absence of certain runtime errors (e.g. memory leaks)
Develop cleaner more stable builds yielding a quality product
Types of Static Analysis
Code Reviews Locating Vulnerabilities Downsides
Automated Tools Common Tools Formal Methods Tools
Code Review
Definition: reviewing source code in teams to reveal defects in other teammates’ code
People are assigned to the positions of moderator, designer, coder and tester
Easier to locate errors in others’ code Offers teams a better understanding of code
after a reviewDetects similar issues as static analysis tools,
such as meeting coding standards
Locating Vulnerabilities
Detects backdoors, locates malicious functions and ensures removal of testing functions
Locates malicious logging of personal data by examining logging functions
Ensures proper methods of cryptography, unlike DES, MD5, or SHA1
Can trace data from source to destination, locating where a vulnerability is likely to occur
Downsides
Teams must be gathered at regular times to perform the review
A checklist must be created prior to the review
Must allow for scheduled breaks to ensure reviewers don’t grow tired and lose focus
A re-review will most likely be required after issues have been corrected
Reviews rely solely on the expertise of the reviewers
Automated Tools
The majority of static code analysis falls under this category
Tools have varying degrees of detection abilities
Common tools allow for probable error detection, as well as meeting style and standards
Advanced tools can be used to prove the absence of run-time errors
Common Tools
Automate much of the code review processThese tools locate potential and actual errors,
but do not guarantee the absence of issuesUse methods of heuristics and statistics to
locate errorsAlthough they find errors, they may introduce
false-positives and false-negativesFalse-positive: reliable code identified as
erroneous
Common Tools
False-negative: erroneous code is missedDecrease the probability of false-negatives
and increase the probability of false-positives
Formal Methods Tools
Usually used in critical systems and medical software development where safety is vital
Use mathematical concepts to find and prove the absence of run-time errors
Tools use what is called abstract interpretation
These rules can be used to prove absence of uninitialized variables, overflows/underflows, divide-by-zero and out-of-bounds pointers
Formal Methods Tools
Locate possible run-time errors and attempt to prove they will fail
Code is classified as proven, failed, unreachable, or unproven for each operation
Example from Polyspace analysis on next slide
Formal Methods Tools
Image retrieved from: http://www.embedded.com/design/other/4374801/Using-formal-methods-for-sophisticated-static-code-analysis?page=2
Formal Methods Tools
Reduces possibility of false-negativesSimplifies debugging process by locating
source of run-time errorsCan be vital for improving the quality of
embedded, high-integrity, or critical systems software
Save time and money by eliminating defects when they are most cost effective
Benefits of Static Code Analysis
Main benefit: reduces cost of fixing defects by detecting them early in the life cycle
Early bug detection cuts time spent in development and maintenance
Allows for the product to come to the market sooner and stay longer
Easily detects effects of the “copy and paste method” saving time from trying to manually locate all copies
Benefits of Static Code Analysis
Tools offer full code coverage testingDiscovers defects in rarely used code other
methods missTools are not dependent on compiler or
project environmentLocates defects in exception handling and
logging
Drawbacks of Static Code Analysis
Added probability of false negatives and positives
False-negatives create a false sense of security and allow bugs into the release
False-positives can delay the release and create unneeded work
Common static analysis tools cannot detect conditional errors
Drawbacks of Static Code Analysis
Integration of tools into development cycleTools change the way people work Must become part of the organization’s
cultureRequire investments in education and time to
learn/use the toolsVery hard to integrate on legacy codeTime and budget restrictions
Coding Standardization
CERT: Computer Emergency Readiness Team Researched internet weaknesses, frequent
programming errors Created coding standards to combat these Accumulated findings into CERT C/C++ Secure Code
StandardMIRSA: Motor Industry Software Reliability
Association Developed guidelines for critical systems Dealt with automotive industry, including aerospace Guidelines cover C and C++
Many tools have upgraded to meet both of these
Integration Tips
Analysis of legacy code can reveal thousands of issues
Have a plan to deal with uncovered issuesMay choose to hide issues form developers
until they can be reviewed and remedied Focus on preventing new issuesDo frequent build analyses to ensure issues
are being handled by developers
Integration Tips
Create subject matter experts (SMEs) Learn and service tools Educate developers Identifying false-positives Assigned to each product Should be experts on their tool Integrate tools into daily work of developers
Comparing Tools
Don’t base decision on number of rules, all may not pertain to your system
Don’t decide based on number of system specific rules
Compare number of errors detected on a set of projects
Features: quality and security checking, standards, cost, licenses, integration process, etc
Single or multiple language tool
Comparing Tools
Usability of toolE.g. Visual Studio vs. PVS-Studio
Duplicate warnings filters Saving results Hide and reveal errors Filtering on keywords Both have equal detection of errors
IntelliJ IDEA IDE Features Finds probable bugs
Locates dead code
Tool Examples
Images retrieved from: http://www.jetbrains.com/idea/documentation/static_code_analysis.html
Tool Examples
Detects performance issues
Improves code structure and maintainability Conforms code to guidelines and standards
Conforms to specifications (EJB, JSP, JSF, etc.)
Images retrieved from: http://www.jetbrains.com/idea/documentation/static_code_analysis.html
Run Example
Visual Studio Static Code Analysis Right-Click on the project in Solution Explorer
Properties Code Analysis Select Microsoft All Rules rule set in the dropdown
box File Save
Run Example
Run Example
To run analysis: Right-click on the project in the Solution Explorer Run Code Analysis, or, Analyze Menu Run Code Analysis for (project)
Violations will be shown as Warnings in the Error List window
Run Example
Configuration Right-click on the project in Solution Explorer
Properties Code Analysis Configuration lists potential configurations including:
Debug, Release and All Configurations Platform lists different platforms which the code can
be compiled on, such as x86 and x64 Each combination can have its own code analysis
configuration. Enable Code Analysis on Build checkbox: analysis will
occur whenever the code is compiled. Suppress results from generated code checkbox
Run Example
Rule Sets dropdown menu After choosing a rule set, Open gives a detailed
description of the rules in the set
Groups or individual rules can be check/unchecked Change Action: Error, Warning, None Create custom rule sets: File Save As. Will be added
to menu
Conclusion
Static analysis can be a valuable tool in error detection in the process of software development
Have various uses within organizationsNumerous types, advantages, and featuresGreat for enforcing code standardsAlthough integration may be challenging,
they provide substantial cost and time savings
Comes down to which tool is the best fit for you
References
[1] Abraham, J. (2012, June 6). Using formal methods for sophisticated static code analysis. Retrieved June 25, 2012, from EE Times: http://eetimes.com/design/ embedded/4374801/Using-formal-methods-for-sophisticated-static-code-analysis
[2] Carmack, J. (2011, December 27). In-Depth: Static Code Analysis. Retrieved June 25, 2012, from Gamasutra: http://www.gamasutra.com/view/news/39328/InDepth _Static_Code_ Analysis.php
[3] Gousset, M. (2010, April 27). Static Code Analysis Configuration. Retrieved June 27, 2012, from Visual Studio Magazine: http://visualstudiomagazine.com/articles/ 2010/04/27/static-code-analysis-configuration.aspx
[4] Gousset, M. (2010, March 25). Static Code Analysis in VS2010. Retrieved June 25, 2012, from Visual Studio Magazine: http://visualstudiomagazine.com/articles/ 2010/03/25/working-with-static-code-analysis.aspx
[5] JetBrains, Inc. (n.d.). Static Code Analysis. Retrieved June 25, 2012, from JetBrains: http://www.jetbrains.com/idea/documentation/static_code_analysis.html
[6] Jones, P., Jetley, R., & Abraham, J. (2010, February 9). A Formal Methods-based verification approach to medical device software analysis. Retrieved June 27, 2012, from EE Times: http://eetimes.com/design/embedded/4008888/A-Formal-Methods-based-verification-approach-to-medical-device-software-analysis
[7] Karpov, A. (2010, December 27). Cases When a Static Code Analyzer may Help You. Retrieved June 25, 2012, from The Code Project: http://www.codeproject.com/ Articles/ 140078/Cases-When-a-Static-Code-Analyzer-may-Help-You
References
[8] Karpov, A. (2012, March 12). Static code analysis. Retrieved June 25, 2012, from CPlusPlus.com: http://www.cplusplus.com/articles/9E18T05o/
[9] Karpov, A., & Ryzhkov, E. (2011, March 31). Difficulties of comparing code analyzers, or don't forget about usability. Retrieved June 28, 20120, from viva65: http://www.viva64.com/ en/a/0071/
[10] Pitchford, M. (2011, March 1). Think static analysis cures all ills? Think again. Retrieved June 25, 2012, from EE Times: http://www.eetimes.com/design/ embedded/4213633 /Think-static-analysis-cures-all-ills--Think-again-
[11] Shetti, V. (2010, August). Why Static Analysis? Retrieved June 25, 2012, from Palizine: http://palizine.plynt.com/issues/2010Aug/why-static-analysis/
[12] Sidner, S. (2010, April 24). When Quality, Security Count. Retrieved June 25, 2012, from Dr. Dobb's: http://www.drdobbs.com/ tools/224600102
[13] Vink, G. (2010). Static Code Analysis (SCA) Standardization Efforts & Integration in the Software Development Flow. Retrieved June 25, 2012, from Tasking: http://www.tasking .com/resources/Static-Code-Analysis-WhitePaper.pdf
[14] Yocum, C. (2011, May 14). An introduction to static code analysis: What, why and how. Retrieved June 25, 2012, from The Register: http://www.theregister.co.uk/2011/05/14/ static_code_analysis_101/
top related